Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
doc-1.exe

Overview

General Information

Sample name:doc-1.exe
Analysis ID:1431427
MD5:cb0453ea959b40b3a0500dac08b0a309
SHA1:574ee3b44cf4e11ea8a2b19554e2b9c709c5177a
SHA256:9f3034de7f891cbccf1e97f2ce5a806907149a573258ed1c094301b5919d3bba
Tags:exe
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Found API chain indicative of debugger detection
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • doc-1.exe (PID: 6880 cmdline: "C:\Users\user\Desktop\doc-1.exe" MD5: CB0453EA959B40B3A0500DAC08B0A309)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: doc-1.exeVirustotal: Detection: 7%Perma Link
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_00479B50 TlsGetValue,TlsGetValue,TlsSetValue,BCryptGenRandom,0_2_00479B50
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_0042FF42 BCryptGenRandom,SystemFunction036,0_2_0042FF42
Source: doc-1.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: doc-1.exeString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-supportyfqBCUuiHMkgJBsjVLIZXuZmbxVFvbUFzjnbhVPhCE
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_00406F46 memcpy,memcpy,memcpy,memset,AcquireSRWLockExclusive,AcquireSRWLockExclusive,ReleaseSRWLockExclusive,ReleaseSRWLockExclusive,ReleaseSRWLockExclusive,GlobalMemoryStatusEx,K32GetPerformanceInfo,PdhOpenQueryA,PdhCollectQueryData,NtQuerySystemInformation,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,GetUserNameW,GetUserNameW,GetNativeSystemInfo,GetCurrentProcessId,memcpy,memset,0_2_00406F46
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_0047CF27 NtQueryInformationProcess,NtQueryInformationProcess,0_2_0047CF27
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_0047BFDF NtQueryInformationProcess,NtQueryInformationProcess,0_2_0047BFDF
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_004710400_2_00471040
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_004410000_2_00441000
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_0040B0110_2_0040B011
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_004320CC0_2_004320CC
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_0044C0900_2_0044C090
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_0041B1600_2_0041B160
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_004151300_2_00415130
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_004711E00_2_004711E0
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_0041E1E80_2_0041E1E8
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_0048327F0_2_0048327F
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_004242F50_2_004242F5
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_004172800_2_00417280
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_0046B3000_2_0046B300
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_0043132E0_2_0043132E
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_0041C3300_2_0041C330
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_004264730_2_00426473
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_0041141C0_2_0041141C
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_004164300_2_00416430
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_004354CA0_2_004354CA
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_004084D40_2_004084D4
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_004084D90_2_004084D9
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_004084DE0_2_004084DE
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_0042F4F70_2_0042F4F7
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_004334BF0_2_004334BF
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_004085430_2_00408543
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_004085450_2_00408545
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_0040852D0_2_0040852D
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_0040852F0_2_0040852F
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_004085310_2_00408531
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_004735D00_2_004735D0
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_004056480_2_00405648
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_0047A6700_2_0047A670
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_004277120_2_00427712
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_004017310_2_00401731
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_0043E7A00_2_0043E7A0
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_004397A40_2_004397A4
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_004228500_2_00422850
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_0041B8100_2_0041B810
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_0043F8300_2_0043F830
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_0043383B0_2_0043383B
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_0043883F0_2_0043883F
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_0048794D0_2_0048794D
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_004459320_2_00445932
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_004239380_2_00423938
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_0047CA4A0_2_0047CA4A
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_0041FA000_2_0041FA00
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_00405A2B0_2_00405A2B
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_00411ACC0_2_00411ACC
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_00417AE00_2_00417AE0
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_0042BAEE0_2_0042BAEE
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_00411A8C0_2_00411A8C
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_0047BAA80_2_0047BAA8
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_00479B500_2_00479B50
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_00465BD00_2_00465BD0
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_00441BF00_2_00441BF0
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_00437BA50_2_00437BA5
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_00434C660_2_00434C66
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_0047EC690_2_0047EC69
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_00467C100_2_00467C10
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_00479CA00_2_00479CA0
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_00471D500_2_00471D50
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_0047BD620_2_0047BD62
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_00424D7E0_2_00424D7E
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_0042CD250_2_0042CD25
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_0042CE470_2_0042CE47
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_0043CE500_2_0043CE50
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_00413E200_2_00413E20
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_00402E360_2_00402E36
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_00414EF00_2_00414EF0
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_00406F460_2_00406F46
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_00410F6F0_2_00410F6F
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_00484F780_2_00484F78
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_0046AFC00_2_0046AFC0
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_0047BFDF0_2_0047BFDF
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_00430FB40_2_00430FB4
Source: C:\Users\user\Desktop\doc-1.exeCode function: String function: 00414310 appears 76 times
Source: C:\Users\user\Desktop\doc-1.exeCode function: String function: 00414630 appears 129 times
Source: classification engineClassification label: mal52.evad.winEXE@1/0@0/0
Source: doc-1.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\doc-1.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: doc-1.exeVirustotal: Detection: 7%
Source: C:\Users\user\Desktop\doc-1.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\doc-1.exeSection loaded: pdh.dllJump to behavior
Source: C:\Users\user\Desktop\doc-1.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\Desktop\doc-1.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\doc-1.exeSection loaded: umpdc.dllJump to behavior
Source: doc-1.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_0048F830 LoadLibraryA,GetProcAddress,FreeLibrary,0_2_0048F830
Source: doc-1.exeStatic PE information: real checksum: 0xc2eec should be: 0xb6eb6
Source: doc-1.exeStatic PE information: section name: .xdata
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_00419540 push 75058D48h; retf 0_2_00419608
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_004195A0 push 75058D48h; retf 0_2_00419608
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_00406F46 memcpy,memcpy,memcpy,memset,AcquireSRWLockExclusive,AcquireSRWLockExclusive,ReleaseSRWLockExclusive,ReleaseSRWLockExclusive,ReleaseSRWLockExclusive,GlobalMemoryStatusEx,K32GetPerformanceInfo,PdhOpenQueryA,PdhCollectQueryData,NtQuerySystemInformation,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,GetUserNameW,GetUserNameW,GetNativeSystemInfo,GetCurrentProcessId,memcpy,memset,0_2_00406F46
Source: C:\Users\user\Desktop\doc-1.exeAPI coverage: 0.9 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_004320CC GetSystemInfo,memcpy,memcpy,memcpy,memcpy,CloseHandle,0_2_004320CC

Anti Debugging

barindex
Found API chain indicative of debugger detection
Source: C:\Users\user\Desktop\doc-1.exeDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleepgraph_0-40973
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_00406F46 memcpy,memcpy,memcpy,memset,AcquireSRWLockExclusive,AcquireSRWLockExclusive,ReleaseSRWLockExclusive,ReleaseSRWLockExclusive,ReleaseSRWLockExclusive,GlobalMemoryStatusEx,K32GetPerformanceInfo,PdhOpenQueryA,PdhCollectQueryData,NtQuerySystemInformation,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,GetUserNameW,GetUserNameW,GetNativeSystemInfo,GetCurrentProcessId,memcpy,memset,0_2_00406F46
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_0048F830 LoadLibraryA,GetProcAddress,FreeLibrary,0_2_0048F830
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_0047D854 GetProcessHeap,0_2_0047D854
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_00401180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,_initterm,GetStartupInfoA,exit,0_2_00401180
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_004023D4 RtlAddVectoredExceptionHandler,SetThreadStackGuarantee,GetLastError,0_2_004023D4
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_004B8A18 SetUnhandledExceptionFilter,0_2_004B8A18
Source: C:\Users\user\Desktop\doc-1.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_0042B09E CreateNamedPipeW,memcpy,CreateIoCompletionPort,0_2_0042B09E
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_0048E400 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_0048E400
Source: C:\Users\user\Desktop\doc-1.exeCode function: 0_2_00406F46 memcpy,memcpy,memcpy,memset,AcquireSRWLockExclusive,AcquireSRWLockExclusive,ReleaseSRWLockExclusive,ReleaseSRWLockExclusive,ReleaseSRWLockExclusive,GlobalMemoryStatusEx,K32GetPerformanceInfo,PdhOpenQueryA,PdhCollectQueryData,NtQuerySystemInformation,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,GetUserNameW,GetUserNameW,GetNativeSystemInfo,GetCurrentProcessId,memcpy,memset,0_2_00406F46

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Native API		1
DLL Side-Loading		1
Process Injection		1
Virtualization/Sandbox Evasion		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Disable or Modify Tools		LSASS Memory12
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDS1
Account Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA Secrets1
System Owner/User Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials3
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
doc-1.exe7%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://docs.rs/getrandom#nodejs-es-module-supportyfqBCUuiHMkgJBsjVLIZXuZmbxVFvbUFzjnbhVPhCEdoc-1.exefalse
    		high

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:40.0.0 Tourmaline
    Analysis ID:1431427
    Start date and time:2024-04-25 05:06:04 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 2m 0s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:1
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:doc-1.exe
    Detection:MAL
    Classification:mal52.evad.winEXE@1/0@0/0
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 3
    • Number of non-executed functions: 134
    Cookbook Comments:
    • Found application associated with file extension: .exe
    • Stop behavior analysis, all processes terminated

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
    Entropy (8bit):6.395965924406632
    TrID:
    • Win64 Executable (generic) (12005/4) 74.95%
    • Generic Win/DOS Executable (2004/3) 12.51%
    • DOS Executable Generic (2002/1) 12.50%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
    File name:doc-1.exe
    File size:741'888 bytes
    MD5:cb0453ea959b40b3a0500dac08b0a309
    SHA1:574ee3b44cf4e11ea8a2b19554e2b9c709c5177a
    SHA256:9f3034de7f891cbccf1e97f2ce5a806907149a573258ed1c094301b5919d3bba
    SHA512:ba2fb7d55fefc568e02591be107e95a16c6d689457b53b27a20bdfd9eb925c3d1d5f4e4c0603dcb8bdd877cbea365492bb7426eee1d56565ea6b2e1d621209b1
    SSDEEP:12288:pHb/x4iH+TYlPsHAhObXHrEDMgwYjfj4dv0kS2EAgOqtwcd:BZ4ieTYlsgkbC4h0kS2Ilh
    TLSH:3BF45C07F29650BDC4AEC174875B6272FA72BC4D0535BA6F0BD48B313E25B50AB1EB18
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....(f........../..........N................@...........................................`... ............................

    File Icon

    Icon Hash:90cececece8e8eb0

    Static PE Info

    General

    Entrypoint:0x4014b0
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
    Time Stamp:0x6628ABDB [Wed Apr 24 06:51:07 2024 UTC]
    TLS Callbacks:0x446d50
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:64a0a11f6bac8e22afe78f6842288e69

    Entrypoint Preview

    Instruction
    dec eax
    sub esp, 28h
    dec eax
    mov eax, dword ptr [000A8F15h]
    mov dword ptr [eax], 00000001h
    call 00007F2DC0C35D2Fh
    call 00007F2DC0BA8AAAh
    nop
    nop
    dec eax
    add esp, 28h
    ret
    nop dword ptr [eax+00h]
    nop word ptr [eax+eax+00000000h]
    dec eax
    sub esp, 28h
    dec eax
    mov eax, dword ptr [000A8EE5h]
    mov dword ptr [eax], 00000000h
    call 00007F2DC0C35CFFh
    call 00007F2DC0BA8A7Ah
    nop
    nop
    dec eax
    add esp, 28h
    ret
    nop dword ptr [eax+00h]
    nop word ptr [eax+eax+00000000h]
    dec eax
    sub esp, 28h
    call 00007F2DC0C31014h
    dec eax
    test eax, eax
    sete al
    movzx eax, al
    neg eax
    dec eax
    add esp, 28h
    ret
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    dec eax
    lea ecx, dword ptr [00000009h]
    jmp 00007F2DC0BA8DC9h
    nop dword ptr [eax+00h]
    ret
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    inc ecx
    push edi
    inc ecx
    push esi
    inc ecx
    push ebp
    inc ecx
    push esp
    push esi
    push edi
    push ebp
    push ebx
    dec eax
    sub esp, 00000248h
    movaps esp+00000230h, dqword ptr [xmm6]
    dec ecx
    mov edi, ecx
    call 00007F2DC0BACC9Bh
    dec eax
    test eax, eax
    je 00007F2DC0BA8DF6h

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0xb80000x1ef0.idata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0xab0000x4038.pdata
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0xa9fe00x28.rdata
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0xb87300x640.idata
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x8ed080x8ee0082e33ab797aced224cc1a1da5852a179False0.5409899934383202data6.32049451646991IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .data0x900000x2b00x40055418744122f18690206799e38f7f5c4False0.15625data1.0300332799297227IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .rdata0x910000x194200x196002aed4bdd1cf185e23c02d64535332f3cFalse0.5187711668719212data5.983924071076773IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
    .pdata0xab0000x40380x4200c57ac2dfec47985597882d15a8dc4f1cFalse0.4698745265151515data5.799901732107319IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
    .xdata0xb00000x5ed00x6000d7db3f704a09250f8dd43b410253b6beFalse0.3329264322916667data5.187616423289117IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
    .bss0xb60000x15600x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .idata0xb80000x1ef00x20003d12909de2f093e4ea8874bb6f36ba43False0.30615234375data4.547364614399058IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .CRT0xba0000x780x2008dcd437c88c8b7791159864cb6c2d3f2False0.091796875data0.396790685092107IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .tls0xbb0000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

    Imports

    DLLImport
    KERNEL32.dllAcquireSRWLockExclusive, AcquireSRWLockShared, AddVectoredExceptionHandler, CancelIoEx, CloseHandle, CompareStringOrdinal, ConnectNamedPipe, CreateFileMappingA, CreateFileW, CreateIoCompletionPort, CreateNamedPipeW, CreateProcessW, CreateThread, CreateToolhelp32Snapshot, CreateWaitableTimerExW, DeleteCriticalSection, DeleteProcThreadAttributeList, DuplicateHandle, EnterCriticalSection, ExitProcess, FormatMessageW, FreeEnvironmentStringsW, FreeLibrary, GetCommandLineW, GetComputerNameExW, GetConsoleMode, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentStringsW, GetEnvironmentVariableW, GetFileAttributesW, GetFileInformationByHandle, GetFileInformationByHandleEx, GetFinalPathNameByHandleW, GetFullPathNameW, GetLastError, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleW, GetNativeSystemInfo, GetOverlappedResult, GetProcAddress, GetProcessHeap, GetProcessIoCounters, GetProcessTimes, GetQueuedCompletionStatusEx, GetStartupInfoA, GetStdHandle, GetSystemDirectoryW, GetSystemInfo, GetSystemTimeAsFileTime, GetSystemTimes, GetTickCount, GetWindowsDirectoryW, GlobalMemoryStatusEx, HeapAlloc, HeapFree, HeapReAlloc, InitOnceBeginInitialize, InitOnceComplete, InitializeCriticalSection, InitializeProcThreadAttributeList, IsDBCSLeadByteEx, K32GetPerformanceInfo, LeaveCriticalSection, LoadLibraryA, LoadLibraryExA, LocalAlloc, LocalFree, MapViewOfFile, Module32FirstW, Module32NextW, MultiByteToWideChar, OpenProcess, PostQueuedCompletionStatus, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, ReadFile, ReadFileEx, ReadProcessMemory, ReleaseSRWLockExclusive, ReleaseSRWLockShared, RtlAddFunctionTable, RtlCaptureContext, RtlLookupFunctionEntry, RtlUnwindEx, RtlVirtualUnwind, SetLastError, SetThreadStackGuarantee, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SleepConditionVariableSRW, SleepEx, SwitchToThread, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, UnhandledExceptionFilter, UnmapViewOfFile, UpdateProcThreadAttribute, VirtualProtect, VirtualQuery, VirtualQueryEx, WaitForSingleObject, WakeAllConditionVariable, WakeConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile, WriteFileEx, __C_specific_handler
    msvcrt.dll___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _cexit, _endthreadex, _errno, _fmode, _fpreset, _initterm, _onexit, abort, calloc, exit, fprintf, fputc, free, fwrite, localeconv, malloc, signal, strerror, strncmp, vfprintf
    ntdll.dllmemcmp, memcpy, memmove, memset, pow, strlen, wcslen
    ntdll.dllNtCancelIoFileEx, NtDeviceIoControlFile, NtQueryInformationProcess, NtQuerySystemInformation, NtWriteFile, RtlGetVersion, RtlNtStatusToDosError
    advapi32.dllAllocateAndInitializeSid, CopySid, FreeSid, GetLengthSid, GetTokenInformation, GetUserNameW, InitializeSecurityDescriptor, IsValidSid, OpenProcessToken, SetEntriesInAclW, SetSecurityDescriptorDacl, SystemFunction036
    bcrypt.dllBCryptGenRandom
    oleaut32.dllGetErrorInfo, SysFreeString, SysStringLen
    pdh.dllPdhAddEnglishCounterW, PdhCloseQuery, PdhCollectQueryData, PdhGetFormattedCounterValue, PdhOpenQueryA, PdhRemoveCounter
    powrprof.dllCallNtPowerInformation
    psapi.dllGetModuleFileNameExW, GetProcessMemoryInfo
    shell32.dllCommandLineToArgvW

    Network Behavior

    No network behavior found

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:05:06:51
    Start date:25/04/2024
    Path:C:\Users\user\Desktop\doc-1.exe
    Wow64 process (32bit):false
    Commandline:"C:\Users\user\Desktop\doc-1.exe"
    Imagebase:0x400000
    File size:741'888 bytes
    MD5 hash:CB0453EA959B40B3A0500DAC08B0A309
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:true

    Disassembly

    Reset < >

      Execution Graph

      Execution Coverage:0.3%
      Dynamic/Decrypted Code Coverage:0%
      Signature Coverage:32.3%
      Total number of Nodes:99
      Total number of Limit Nodes:4
      execution_graph 40966 4014b0 40971 48e400 40966->40971 40968 4014c6 40975 401180 40968->40975 40970 4014cb 40972 48e429 40971->40972 40973 48e440 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 40971->40973 40972->40968 40974 48e49b 40973->40974 40974->40968 40976 401470 GetStartupInfoA 40975->40976 40977 4011b4 40975->40977 40978 4013f0 40976->40978 40979 4011dc Sleep 40977->40979 40980 4011f1 40977->40980 40978->40970 40979->40977 40980->40978 40981 401224 40980->40981 40982 40143c _initterm 40980->40982 40993 48ea00 40981->40993 40982->40981 40984 40124c SetUnhandledExceptionFilter 41023 48ee60 40984->41023 40986 401315 malloc 40988 40133c 40986->40988 40991 401387 40986->40991 40987 401268 40987->40986 40989 401350 strlen malloc memcpy 40988->40989 40989->40989 40990 401382 40989->40990 40990->40991 40991->40978 40992 4013e5 _cexit 40991->40992 40992->40978 40996 48ea33 40993->40996 41017 48ea22 40993->41017 40994 48eaa0 40998 48eaa9 40994->40998 40994->41017 40995 48ec9a 41000 48eccd 40995->41000 41001 48ed30 40995->41001 40996->40994 41002 48eb73 40996->41002 40996->41017 40999 48eaf7 40998->40999 41029 48e830 11 API calls 40998->41029 41009 48eb22 VirtualProtect 40999->41009 40999->41017 41004 48ed4f signal 41000->41004 41005 48ecd4 41000->41005 41003 48ed3b 41001->41003 41010 48edf0 41001->41010 41002->40995 41002->40999 41006 48ebba 41002->41006 41002->41017 41011 48ed74 41003->41011 41014 48ed3d 41003->41014 41007 48edd0 signal 41004->41007 41015 48ed61 41004->41015 41005->41011 41012 48ece5 41005->41012 41005->41015 41006->41002 41008 48e830 11 API calls 41006->41008 41030 48e830 11 API calls 41006->41030 41007->41015 41008->41006 41009->40999 41010->41015 41018 48ee06 signal 41010->41018 41011->41015 41016 48ed82 signal 41011->41016 41012->41015 41020 48ecfb signal 41012->41020 41014->41004 41014->41015 41015->40984 41019 48ee20 signal 41016->41019 41022 48ed11 41016->41022 41017->40984 41018->41022 41019->41022 41021 48ee40 signal 41020->41021 41020->41022 41021->41022 41022->40984 41025 48ee6f 41023->41025 41024 48ee9c 41024->40987 41025->41024 41031 48f440 strncmp 41025->41031 41027 48ee97 41027->41024 41028 48ef30 RtlAddFunctionTable 41027->41028 41028->41024 41029->40998 41030->41002 41031->41027 41032 4023d4 41034 4023eb 41032->41034 41033 4024bc 41062 4138f0 52 API calls 41033->41062 41034->41033 41036 402419 41034->41036 41037 40240b GetLastError 41034->41037 41052 4470d0 41036->41052 41037->41033 41037->41036 41039 40242a 41058 412d30 56 API calls 41039->41058 41041 402444 41042 402452 41041->41042 41047 4024d2 41041->41047 41059 447160 52 API calls 41042->41059 41044 402461 41060 447350 52 API calls 41044->41060 41063 42aeb0 52 API calls 41047->41063 41049 4024b0 41050 402469 41050->41049 41061 4474b0 59 API calls 41050->41061 41053 4470ea 41052->41053 41056 4470f2 41053->41056 41064 449980 41053->41064 41055 44710d 41055->41056 41057 447121 SetThreadDescription 41055->41057 41056->41039 41057->41056 41058->41041 41059->41044 41060->41050 41061->41049 41065 4499a1 41064->41065 41066 4499d3 41064->41066 41068 4499ae 41065->41068 41069 449af8 41065->41069 41085 449bb0 41066->41085 41068->41066 41071 4499b6 41068->41071 41091 412990 52 API calls 41069->41091 41089 410800 GetProcessHeap HeapAlloc 41071->41089 41072 449afd 41092 4129d0 52 API calls 41072->41092 41074 4499ca 41074->41066 41074->41072 41081 449a91 41081->41055 41087 449bdb 41085->41087 41086 449a09 41086->41081 41090 449d40 52 API calls 41086->41090 41087->41086 41093 449e00 52 API calls 41087->41093 41089->41074 41090->41081 41093->41086

      Executed Functions

      Function 00401180 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 189sleepstringCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 0 401180-4011ae 1 401470-401473 GetStartupInfoA 0->1 2 4011b4-4011d1 0->2 4 401480-401499 call 489740 1->4 3 4011e4-4011ef 2->3 5 4011f1-4011ff 3->5 6 4011d3-4011d6 3->6 18 40149e-4014a0 call 489728 4->18 10 401205-401209 5->10 11 401427-401436 call 489750 5->11 8 401410-401421 6->8 9 4011dc-4011e1 Sleep 6->9 8->10 8->11 9->3 10->4 14 40120f-40121e 10->14 16 401224-401226 11->16 17 40143c-401457 _initterm 11->17 14->16 14->17 19 40122c-401239 16->19 20 40145d-401462 16->20 17->19 17->20 25 4014a5-4014a6 18->25 21 401247-401294 call 48ea00 SetUnhandledExceptionFilter call 48ee60 call 489780 call 48e800 call 489790 19->21 22 40123b-401243 19->22 20->19 35 4012b2-4012b8 21->35 36 401296 21->36 22->21 37 4012a0-4012a2 35->37 38 4012ba-4012c8 35->38 39 4012f7-4012fd 36->39 43 4012d0-4012d2 37->43 44 4012a4-4012a7 37->44 40 4012ae 38->40 41 401315-40133a malloc 39->41 42 4012ff-401309 39->42 40->35 50 401387-4013c2 call 48e3c0 call 4107e0 41->50 51 40133c-401349 41->51 48 401400-401405 42->48 49 40130f 42->49 46 4012d4 43->46 47 4012e5-4012ee 43->47 44->43 45 4012a9 44->45 45->40 53 4012f0 46->53 47->53 54 4012e0-4012e3 47->54 48->49 49->41 59 4013c7-4013d5 50->59 55 401350-401380 strlen malloc memcpy 51->55 53->39 54->47 54->53 55->55 57 401382 55->57 57->50 59->18 60 4013db-4013e3 59->60 61 4013f0-4013ff 60->61 62 4013e5-4013ea _cexit 60->62 62->61
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled_cexitmemcpystrlen
      • String ID: @rK$PuK$XuK
      • API String ID: 1640792405-3341304455
      • Opcode ID: 4397159f744e3e8f62fa6e36cb323cd077c0a54a2d2a734fb1a9eebee9c21c4a
      • Instruction ID: 4411f9d487a6dac6681ffd654f1012327162db0198ca0550bbaefefd1efd9bf6
      • Opcode Fuzzy Hash: 4397159f744e3e8f62fa6e36cb323cd077c0a54a2d2a734fb1a9eebee9c21c4a
      • Instruction Fuzzy Hash: 46719EB1710A4486EB24EF56E89076A33A1B746B88F44442BEF09A77A1DF3DC854C709
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004023D4 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 129COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: ErrorLast
      • String ID: =J$8YJ$`XJ$combase.dll$main$p3J
      • API String ID: 1452528299-596559082
      • Opcode ID: 7941122de0f24320c3e43e294700bbd5ed2be0d7b4ac1be75a1b01f9b2bc0544
      • Instruction ID: 75ab2eec9a44127937b9acb6a9450944266c4574debb09bb6f3f1ea23bac1e8b
      • Opcode Fuzzy Hash: 7941122de0f24320c3e43e294700bbd5ed2be0d7b4ac1be75a1b01f9b2bc0544
      • Instruction Fuzzy Hash: BD51D172309B4091EB11EF11E99439A7360F785788F90402BEB8E537A4EFBDC58AC749
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004470D0 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 115 4470d0-4470f0 call 4188f0 118 4470f2-4470f8 115->118 119 4470f9-447115 call 449980 115->119 122 447145-44714f call 4472a0 119->122 123 447117-447134 call 488ecc SetThreadDescription 119->123 122->118 123->118 128 447136-447143 call 410890 123->128 128->118
      APIs
      • SetThreadDescription.KERNELBASE ref: 0044712E
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: DescriptionThread
      • String ID:
      • API String ID: 2285587249-0
      • Opcode ID: b8063fee80f944067dc418f5dc6fc201963b3d0dd346ced935feaa811d3d809e
      • Instruction ID: 97d907a13199f7a7941e2a37e0abbdf7768dba3c99c6ef3e045ff3663c918654
      • Opcode Fuzzy Hash: b8063fee80f944067dc418f5dc6fc201963b3d0dd346ced935feaa811d3d809e
      • Instruction Fuzzy Hash: 73F0A45121E99081EA11AB12E40539EA721E781FD4F54802BEA4D17B18DF6DC9878708
      Uniqueness

      Uniqueness Score: -1.00%

      Non-executed Functions

      Function 00406F46 Relevance: 104.3, APIs: 29, Strings: 29, Instructions: 2797COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID:
      • String ID: =J$/,@$8sJ$8sJ$H;J$Total CP$V@J$[fJ$[fJ$^gJ$`async fn` resumed after completion$armv5armv6armv7arm64i386i586i686x86_64mipsmipselmips64mips64elpowerpcpowerpc64powerpc64leriscv32riscv64s390xsparcsparc64wasm32wasm64$assertion failed: successwhoami-1.4.1rpUTXVNtgMtVRvf$assertion failed: vec.capacity() - start >= lenrayon-1.8.1kdtGsCcHxHW$cannot access a Thread Local Storage value during or after destructionNtHgFDtekXONzqhlFlQwLwBSoWxHXrIjNcystVojTfNFroAqTbGPwlPIbUHSugSQZpuLwvTbziGpjRB$combase.dll$data length less than 8, rand string length is not enough$encrypt_key$global_key_idle disappearedsysinfo-0.30.5fIkhSFuVdsfnqeXHimHqVj$install$key_used disappeared$lock count overflow in reentrant mutexlibrarydOBCOGZGzyaSjAFgSVrkMGxh$nown$payloadentry_namegcparamsentry is invalidexecuteMKVoWAyeGAeLMZfbqan$pipe_nameexecuteEhfeYJEicXvOOqC$stdoutlibrarylzbjFWnLCcuXBvkubN$task_idx86386amd64usernameprocess_nameexecutablepidparent_process_nameppidarch$task_type$x?J
      • API String ID: 0-1434011761
      • Opcode ID: 84dc46f44deb42089cbf68d135613152f8d4fb837d44b984fc8937f98ab13931
      • Instruction ID: a4f3015f022de716206989cce3d2bb652b37221d2d24dbb5320d7e082506ad9b
      • Opcode Fuzzy Hash: 84dc46f44deb42089cbf68d135613152f8d4fb837d44b984fc8937f98ab13931
      • Instruction Fuzzy Hash: DA439E72608BC081DA21DB26E4453EEB361FB89B88F44822ADF8D17B99DF7CC546C745
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0046AFC0 Relevance: 86.5, APIs: 35, Strings: 13, Instructions: 2518COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID:
      • String ID: "J$(PJ$.exeprogram not found$@aJ$@aJ$@aJ$@aJ$PATHRUST_MIN_STACKfatal runtime error: assertion failed: thread_info.stack_guard.get().is_none() && thread_info.thread.get().is_none()$\?\\$]?\\$assertion failed: self.height > 0$h$internal error: entered unreachable codecalled `Option::unwrap()` on a `None` value
      • API String ID: 0-2084285905
      • Opcode ID: 918293365666b45441832c942344ebfa36257068fe8a03af620b81053b571868
      • Instruction ID: e00b0217a7be0cf4d1e2695fe292defa670aa695b0262dc06801c9614d81cd43
      • Opcode Fuzzy Hash: 918293365666b45441832c942344ebfa36257068fe8a03af620b81053b571868
      • Instruction Fuzzy Hash: 7E33AD72609BC081DA319B16E4843EBA3A0F7C5B84F544227DE9D47B99EF3CC585CB4A
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040B011 Relevance: 84.7, APIs: 12, Strings: 44, Instructions: 661COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1895 40b011-40b1e3 call 488c50 call 439f84 call 4235c7 call 41f951 * 10 call 423614 memset 1924 40b1e5-40b1ec 1895->1924 1925 40b1ee-40b20d memset 1924->1925 1926 40b20f 1924->1926 1925->1924 1927 40b211-40b218 1926->1927 1928 40b21a-40b239 memset 1927->1928 1929 40b23b 1927->1929 1928->1927 1930 40b23d-40b244 1929->1930 1931 40b246-40b265 memset 1930->1931 1932 40b267-40b420 memcpy * 3 call 423614 memcpy call 423614 memset call 41f4f9 memset call 4235c7 call 41f78e 1930->1932 1931->1930 1943 40b425-40b428 1932->1943 1944 40b539-40b55f call 438011 1943->1944 1945 40b42e-40b437 1943->1945 1952 40b561-40b570 1944->1952 1953 40b572-40b590 1944->1953 1947 40bb41-40bb68 call 42de28 1945->1947 1948 40b43d-40b440 call 437042 1945->1948 1957 40bb6a-40bb7c call 413930 1947->1957 1955 40b445-40b450 call 4370a4 1948->1955 1956 40b5a6-40b5b6 call 43814c 1952->1956 1958 40b596-40b59e 1953->1958 1959 40bb7e-40bb96 call 414630 1953->1959 1967 40b505 1955->1967 1968 40b456-40b485 call 41fa00 1955->1968 1970 40b703-40b72e call 4340a3 1956->1970 1971 40b5bc-40b5c0 1956->1971 1957->1959 1958->1956 1974 40bb98-40bc0a call 4138f0 1959->1974 1973 40b508-40b526 call 436fbd 1967->1973 1982 40b4a2-40b4a5 1968->1982 1983 40b487-40b498 1968->1983 1997 40bb16-40bb40 call 47a1ac call 438734 1970->1997 1978 40b5c6-40b5cd 1971->1978 1979 40b6c7-40b6e5 call 4235c7 memcpy 1971->1979 1991 40b6f1-40b6fe call 43814c 1973->1991 1992 40b52c-40b534 call 480995 1973->1992 1993 40bc0c-40bc24 call 4192e0 1974->1993 1978->1979 1981 40b5d3-40b650 call 4235c7 memcpy call 423577 call 439d53 call 43883f call 42ff42 1978->1981 2003 40ba8e-40bb0e call 4055ba call 41f418 call 4055ba call 47a1ac 1979->2003 1981->1974 2035 40b656-40b6ac call 4235c7 call 410d96 1981->2035 1994 40b4f1-40b500 call 41f6c2 1982->1994 1995 40b4a7-40b4ac 1982->1995 1989 40b49a-40b49d 1983->1989 1990 40b49f 1983->1990 1989->1955 1989->1990 1990->1982 1991->1970 1992->1943 1994->1967 1995->1973 2002 40b4ae-40b4d4 call 423fa9 call 41f7d4 1995->2002 2025 40b6ea 2002->2025 2026 40b4da-40b4e0 2002->2026 2003->1997 2025->1991 2026->1957 2029 40b4e6-40b4ec 2026->2029 2029->1943 2040 40b6b2-40b6c2 call 41f47e 2035->2040 2041 40b733-40b7d7 call 4343bb call 43470f call 434565 call 423fa9 2035->2041 2047 40b87a-40b888 2040->2047 2063 40b7da-40b7dd 2041->2063 2049 40b88a-40b8e6 2047->2049 2051 40b8e8-40b8f4 call 437e1d 2049->2051 2052 40b94c-40b954 call 434247 2049->2052 2059 40ba4e-40ba89 call 437184 call 41f47e 2051->2059 2061 40b8fa-40b90a 2051->2061 2052->2059 2059->2003 2064 40b934-40b93e call 434237 2061->2064 2065 40b90c-40b92e call 437e68 call 437e1d 2061->2065 2067 40b800-40b809 2063->2067 2068 40b7df-40b7e5 2063->2068 2080 40b940-40b94a 2064->2080 2081 40b959-40b9b8 call 4235c7 call 434247 2064->2081 2065->2059 2065->2064 2067->1993 2075 40b80f-40b812 2067->2075 2072 40b7f0-40b7fe 2068->2072 2073 40b7e7-40b7ed 2068->2073 2072->2063 2073->2072 2075->1993 2079 40b818-40b85e call 410d96 2075->2079 2079->2047 2093 40b860-40b878 2079->2093 2085 40b9bc-40b9e3 2080->2085 2081->2085 2087 40b9e5-40ba0d call 437e68 2085->2087 2088 40ba39-40ba46 call 41f46f 2085->2088 2097 40ba10-40ba13 2087->2097 2088->2059 2093->2049 2098 40ba15-40ba18 2097->2098 2099 40ba2b-40ba2e 2097->2099 2100 40ba31 2098->2100 2101 40ba1a-40ba29 2098->2101 2099->2100 2100->2088 2101->2097
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: memcpymemset
      • String ID: %^bind_hash$-ppipe_nameexecuteEhfeYJEicXvOOqC$/,@$/,@$8zJ$8zJ$8zJ$8zJ$8zJ$8zJ$8zJ$8zJ$8zJ$8zJ$8zJ$=$@aJ$@aJ$Failed to `Enter::block_on`$HwJ$Slice must be the same length as the array$TOKIO_WORKER_THREADStokio-1.35.1GAAxoBVfUTzhofHypXPb"" cannot be set to 0$UFH$^gJ$`hJ$assertion failed: sharded_size.is_power_of_two()tokio-1.35.1opIOpzNydtZxIBFUvuldgnSwy$assertion failed: shared.shutdown_tx.is_some()tokio-1.35.1RbMLmBPTJKkaSEdIeYoymHIMvViHl$attempt to calculate the remainder with a divisor of zerothere is no such thing as a release load$called `Result::unwrap()` on an `Err` value$cannot access a Thread Local Storage value during or after destructionNtHgFDtekXONzqhlFlQwLwBSoWxHXrIjNcystVojTfNFroAqTbGPwlPIbUHSugSQZpuLwvTbziGpjRB$combase.dll$corrupt deflate stream$failed to park thread$flow when subtracting durations$internal error: entered unreachable codecalled `Option::unwrap()` on a `None` value$mismatchtask_idx86386amd64usernameprocess_nameexecutablepidparent_process_nameppidarch$pQI$pQI$pipe_prefix$r$thread name may not contain interior null bytes$pJ$pJ$pJ
      • API String ID: 1297977491-1208857643
      • Opcode ID: d694f27ebe95ce67f2d84dbf2978ec6085a915772ac81f2725fed9cb0d253f6d
      • Instruction ID: 76a5c4816ad096abcfe36a02320e855553cf288c30bc229e17a732141b92b5ef
      • Opcode Fuzzy Hash: d694f27ebe95ce67f2d84dbf2978ec6085a915772ac81f2725fed9cb0d253f6d
      • Instruction Fuzzy Hash: EC529C72318BC081DB25DB26E4503EA7365F789B88F44852AEE8D17B59DF3CC686C748
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00402E36 Relevance: 38.6, APIs: 5, Strings: 20, Instructions: 1080COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: memcpy
      • String ID: /,@$8zJ$8zJ$8zJ$8zJ$8zJ$8zJ$8zJ$8zJ$8zJ$8zJ$PjJ$PjJ$PjJ$PjJ$^gJ$assertion failed: end >= start && end <= len$called `Option::unwrap()` on a `None` value$cannot access a Thread Local Storage value during or after destructionNtHgFDtekXONzqhlFlQwLwBSoWxHXrIjNcystVojTfNFroAqTbGPwlPIbUHSugSQZpuLwvTbziGpjRB$combase.dll
      • API String ID: 3510742995-2276254108
      • Opcode ID: 37b62789dbb2af39cf3d3d434ede05e9efd4933400441581a4073133d6a6d65e
      • Instruction ID: a0601ade94bcee6b7352bb77d3843c5137fdca6b41fec980860ee74367801750
      • Opcode Fuzzy Hash: 37b62789dbb2af39cf3d3d434ede05e9efd4933400441581a4073133d6a6d65e
      • Instruction Fuzzy Hash: FA92E172704B8081DA20EF16E4413AE6765F789BD8F448627DE9D67799EF3CC686C308
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004735D0 Relevance: 26.8, APIs: 13, Strings: 2, Instructions: 526COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 2772 4735d0-4735f1 call 4890ac 2775 473606-4736eb call 488e8c call 4138f0 call 4472a0 call 4894a0 call 419710 2772->2775 2776 4735f3-473605 2772->2776 2788 473710-473719 2775->2788 2789 4736ed 2775->2789 2791 47373f-47375e 2788->2791 2792 47371b-47373a call 449e00 2788->2792 2790 4736ff-47370c 2789->2790 2793 473761-473780 SetLastError GetFullPathNameW 2790->2793 2791->2793 2792->2791 2796 473782-473789 GetLastError 2793->2796 2797 47378f-473795 2793->2797 2796->2797 2800 47388c-4738b6 GetLastError 2796->2800 2798 4736f0 2797->2798 2799 47379b-4737a3 GetLastError 2797->2799 2801 4736f6-4736fd 2798->2801 2802 4737d3-4737d6 2798->2802 2803 473950-473968 call 414630 2799->2803 2804 4737a9-4737c8 2799->2804 2805 473849-473853 call 410890 2800->2805 2806 4738b8 2800->2806 2801->2788 2801->2790 2811 4737dc-4737f5 2802->2811 2812 47396a-47397c call 414290 2802->2812 2823 4739a2-4739ad 2803->2823 2804->2790 2807 4737ce 2804->2807 2810 473858-473867 2805->2810 2806->2810 2807->2788 2813 473877-47388b 2810->2813 2814 473869-473872 call 410890 2810->2814 2817 47397e-47398f call 4185c0 2811->2817 2818 4737fb-4737fe 2811->2818 2812->2823 2814->2813 2817->2823 2819 473804-47380b 2818->2819 2820 473991-47399d call 414290 2818->2820 2825 47380d-473822 memcmp 2819->2825 2826 473828-47382b 2819->2826 2820->2823 2829 4739c3-4739c9 2823->2829 2830 4739af-4739be call 410890 2823->2830 2825->2826 2831 4738ba-4738bd 2825->2831 2832 47382e-473847 2826->2832 2834 4739ee-4739f4 2829->2834 2835 4739cb-4739d8 call 410890 2829->2835 2830->2829 2838 4738bf-4738cb 2831->2838 2839 4738ed 2831->2839 2832->2805 2832->2810 2840 4739f6-473a00 call 410890 2834->2840 2841 473a05-473a15 2834->2841 2835->2834 2846 4738ce call 410800 2838->2846 2844 4738f3-473938 memcpy call 449d40 2839->2844 2840->2841 2842 473a17-473a24 call 410890 2841->2842 2843 473a29-473a9b call 4894a0 2841->2843 2842->2843 2859 473ac0-473ac9 2843->2859 2860 473a9d 2843->2860 2844->2832 2857 47393e-47394b call 410890 2844->2857 2851 4738d3-4738d9 2846->2851 2851->2844 2852 4738db-4738e8 call 4129d0 2851->2852 2852->2823 2857->2832 2863 473aef-473b0d 2859->2863 2864 473acb-473aea call 449e00 2859->2864 2862 473aaf-473abc 2860->2862 2866 473b10-473b2e SetLastError GetFullPathNameW 2862->2866 2863->2866 2864->2863 2869 473b30-473b37 GetLastError 2866->2869 2870 473b3d-473b43 2866->2870 2869->2870 2871 473c3b-473c65 GetLastError 2869->2871 2872 473aa0 2870->2872 2873 473b49-473b51 GetLastError 2870->2873 2874 473c67 2871->2874 2875 473bf8-473c02 call 410890 2871->2875 2876 473aa6-473aad 2872->2876 2877 473b81-473b84 2872->2877 2878 473b57-473b76 2873->2878 2879 473cff-473d17 call 414630 2873->2879 2882 473c07-473c16 2874->2882 2875->2882 2876->2859 2876->2862 2883 473b8a-473ba3 2877->2883 2884 473d19-473d2b call 414290 2877->2884 2878->2862 2880 473b7c 2878->2880 2893 473d51-473d5c 2879->2893 2880->2859 2886 473c26-473c3a 2882->2886 2887 473c18-473c21 call 410890 2882->2887 2889 473d2d-473d3e call 4185c0 2883->2889 2890 473ba9-473bac 2883->2890 2884->2893 2887->2886 2889->2893 2894 473bb2-473bb9 2890->2894 2895 473d40-473d4c call 414290 2890->2895 2902 473d72-473d78 2893->2902 2903 473d5e-473d6d call 410890 2893->2903 2898 473bd6 2894->2898 2899 473bbb-473bd0 call 4890e4 2894->2899 2895->2893 2908 473bdd-473bf6 2898->2908 2899->2898 2918 473c69-473c6b 2899->2918 2905 473d9d-473da3 2902->2905 2906 473d7a-473d87 call 410890 2902->2906 2903->2902 2911 473da5-473daf call 410890 2905->2911 2912 473db4-473dc4 2905->2912 2906->2905 2908->2875 2908->2882 2911->2912 2916 473dc6-473dd3 call 410890 2912->2916 2917 473dd8-473dfd call 4894a0 2912->2917 2916->2917 2928 473dff-473e08 call 410890 2917->2928 2929 473e0d-473e12 2917->2929 2919 473c6d-473c79 2918->2919 2920 473c9b 2918->2920 2923 473c7c call 410800 2919->2923 2924 473ca0-473ce5 memcpy call 449d40 2920->2924 2926 473c81-473c87 2923->2926 2935 473ce7-473cef call 410890 2924->2935 2936 473cf4-473cfa 2924->2936 2926->2924 2933 473c89-473c96 call 4129d0 2926->2933 2928->2929 2931 473e14-473e1c call 410890 2929->2931 2932 473e21-473e26 2929->2932 2931->2932 2938 473e3b-473e41 2932->2938 2939 473e28-473e35 2932->2939 2933->2893 2935->2936 2936->2908 2939->2938
      APIs
      Strings
      • internal error: entered unreachable codecalled `Option::unwrap()` on a `None` value, xrefs: 00473950, 00473CFF
      • PJ, xrefs: 0047365F
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: ErrorLast$FullNamePath
      • String ID: internal error: entered unreachable codecalled `Option::unwrap()` on a `None` value$PJ
      • API String ID: 2482867836-1401652814
      • Opcode ID: 841b243c78ecf8a73e2c425edca1418e0c008ba2e62147f26240f6319a4527ad
      • Instruction ID: 8d0b19c310dd350b213b16ac8c2f0db788d1d9529e1dac2e2d35d5eb30489b30
      • Opcode Fuzzy Hash: 841b243c78ecf8a73e2c425edca1418e0c008ba2e62147f26240f6319a4527ad
      • Instruction Fuzzy Hash: 0C12D462304B8086DB20AF12E4453AFA760F7857D8F54852BEE8D47B99DF7CC682D709
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00415130 Relevance: 22.0, APIs: 7, Strings: 7, Instructions: 988COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: memcpy
      • String ID: XqI$assertion failed: d.mant > 0$assertion failed: d.mant.checked_add(d.plus).is_some()$assertion failed: d.mant.checked_sub(d.minus).is_some()$assertion failed: d.minus > 0$assertion failed: d.plus > 0$assertion failed: noborrowassertion failed: digits < 40assertion failed: other > 0
      • API String ID: 3510742995-1859209338
      • Opcode ID: b03a328fd84dcb5b5abc8a136ee1edca051c8f3d32b5d5a6abe10895541f81ba
      • Instruction ID: e06bcd12a69d30aa9c9316e12209fac90077ab5338151b874089aec6725d7fd4
      • Opcode Fuzzy Hash: b03a328fd84dcb5b5abc8a136ee1edca051c8f3d32b5d5a6abe10895541f81ba
      • Instruction Fuzzy Hash: 1E822272B19BC086EB20CB11E5407EAB361F3D5798F945227DA9913B99DB3CC5C6CB08
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00401731 Relevance: 18.5, APIs: 1, Strings: 11, Instructions: 517COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 3641 401731-40185f call 484e8f 3647 4019f3-401a0e 3641->3647 3648 401865-40187d 3641->3648 3651 401e59 3647->3651 3649 401889 3648->3649 3650 40187f-401887 3648->3650 3652 40188b-4018b4 3649->3652 3650->3652 3653 401e5d-401e74 call 482ddd call 485f54 3651->3653 3655 4018b7-4018bb 3652->3655 3676 401e79-401e7b 3653->3676 3657 401931 3655->3657 3658 4018bd-4018c8 3655->3658 3662 401934-401939 3657->3662 3660 40200d-40201b 3658->3660 3661 4018ce-4018d1 3658->3661 3664 402020-402035 call 4192e0 3660->3664 3666 4018d3-4018dc 3661->3666 3667 4018f4-4018fd 3661->3667 3663 4019b5-4019b8 call 48820d 3662->3663 3673 4019bd-4019cf 3663->3673 3682 40208f 3664->3682 3670 4018f0-4018f2 3666->3670 3671 4018de 3666->3671 3672 401900-40190d 3667->3672 3670->3672 3677 4018e1 call 40557f 3671->3677 3672->3655 3674 40190f-40191f 3672->3674 3678 4019d1-4019d8 3673->3678 3679 4019da-4019f1 call 484eb4 3673->3679 3680 401921-40192a 3674->3680 3681 401948-40194d 3674->3681 3676->3662 3683 4018e6-4018ed call 48820d 3677->3683 3678->3679 3679->3647 3699 401a13-401a23 call 40401d 3679->3699 3685 401973-401978 3680->3685 3686 40192c 3680->3686 3681->3676 3684 401953-40195c 3681->3684 3688 402094-402099 call 414630 3682->3688 3683->3670 3684->3685 3690 40195e 3684->3690 3692 401987-401998 call 488217 3685->3692 3693 40197a-401985 call 40558e 3685->3693 3691 40206c-40207f 3686->3691 3706 40209b-40212e call 483028 call 4138f0 call 402b7c call 418f80 3688->3706 3697 401961 call 40557f 3690->3697 3691->3664 3691->3682 3709 401ea1-401ea4 3692->3709 3710 40199e-4019a9 call 488009 3692->3710 3707 4019ab-4019b3 3693->3707 3702 401966-401970 3697->3702 3713 402047-40205a 3699->3713 3714 401a29-401aa2 call 402ab1 call 402ad8 call 402aa1 3699->3714 3702->3685 3741 402130-402153 call 484a8b 3706->3741 3707->3663 3707->3673 3709->3706 3715 401eaa-401ebd 3709->3715 3710->3707 3713->3688 3713->3691 3740 401aaa-401aad 3714->3740 3719 401ee7 3715->3719 3720 401ebf-401ed8 call 484edc 3715->3720 3723 401eeb-401f08 3719->3723 3720->3723 3732 401eda-401edc 3720->3732 3734 401f10-401f1d 3723->3734 3732->3734 3737 401f6b-401f76 call 40558e 3734->3737 3738 401f1f-401f34 3734->3738 3756 401f78 3737->3756 3757 401f7e-401f86 3737->3757 3738->3741 3742 401f3a-401f56 3738->3742 3745 401ab3-401ae7 call 404aef 3740->3745 3746 401ede-401ee2 3740->3746 3747 401f58 3742->3747 3748 401f5c-401f65 3742->3748 3765 401e54 3745->3765 3766 401aed-401afe 3745->3766 3752 401e1d-401e48 call 404aef 3746->3752 3747->3748 3748->3737 3754 401f67 3748->3754 3752->3653 3774 401e4a 3752->3774 3754->3737 3756->3757 3758 401f90-401f94 3757->3758 3759 401f88-401f8b call 48820d 3757->3759 3758->3678 3764 401f99-40200c call 402a43 call 482ddd call 402b7c call 40435a call 402b44 3758->3764 3759->3758 3765->3651 3769 401b02-401b1c call 485c56 3766->3769 3778 401b22-401b29 3769->3778 3779 401e4f 3769->3779 3774->3764 3781 401dfd-401e13 3778->3781 3782 401b2f-401ba3 call 485bcc call 428ab5 call 429c63 3778->3782 3779->3765 3781->3752 3784 401e15-401e18 call 4044cf 3781->3784 3796 401ba5-401bad 3782->3796 3797 401bfc-401c06 3782->3797 3784->3752 3799 401c0b-401c14 3796->3799 3800 401baf-401bbc 3796->3800 3801 401d19 3797->3801 3799->3801 3800->3801 3803 401bc2-401be7 call 429eb8 3800->3803 3802 401d1b-401d29 call 428b4d 3801->3802 3808 401d77-401de2 call 4047e6 3802->3808 3809 401d2b-401d3a call 480a1f 3802->3809 3810 401bed-401bf3 3803->3810 3811 401caf-401d0f memcpy call 42a4fd 3803->3811 3808->3740 3824 401de8-401dfb 3808->3824 3809->3781 3823 401d40-401d5d call 485bf3 call 480995 3809->3823 3814 401bf5-401bf7 3810->3814 3815 401c19-401c34 3810->3815 3827 401d11 3811->3827 3828 401d62-401d68 3811->3828 3819 401ca7-401caa call 4884af 3814->3819 3820 401c36-401c4a 3815->3820 3821 401c4c 3815->3821 3819->3811 3826 401c4e-401c83 call 41f2ad 3820->3826 3821->3826 3823->3769 3824->3784 3835 401c85-401c8d 3826->3835 3836 401c8f-401ca3 3826->3836 3827->3801 3829 401d72-401d75 3828->3829 3830 401d6a 3828->3830 3829->3802 3830->3829 3835->3819 3836->3819
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: memcpy
      • String ID: /,@$8sJ$HwJ$YFI$YFI$`async fn` resumed after completion$combase.dll$failed to park thread$internal error: entered unreachable codecalled `Option::unwrap()` on a `None` value$lock must be acquired before waiting$number of permits must not overflow
      • API String ID: 3510742995-2564312932
      • Opcode ID: dafd0d47f0704096200f97a47eeecd766aeed259536927fd3825c499dc724e83
      • Instruction ID: cb26dce142c07ec51f08a9d84ed942857971069c35a17b19f7769927fa338987
      • Opcode Fuzzy Hash: dafd0d47f0704096200f97a47eeecd766aeed259536927fd3825c499dc724e83
      • Instruction Fuzzy Hash: A8228B72209BC081DA21DB15E4543EFB760F799B88F44812BEA8E17BA9DF7CC585C748
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004320CC Relevance: 18.3, APIs: 6, Strings: 4, Instructions: 817COMMON
      Download Yara Rule
      APIs
      • GetSystemInfo.KERNEL32 ref: 004325CB
        • Part of subcall function 004304F8: memcpy.NTDLL ref: 00430511
        • Part of subcall function 004304F8: memcpy.NTDLL ref: 00430543
      • memcpy.NTDLL ref: 004326A8
      • memcpy.NTDLL ref: 004326E1
      • memcpy.NTDLL ref: 00432A82
      • memcpy.NTDLL ref: 00432BDA
        • Part of subcall function 00412E60: HeapReAlloc.KERNEL32 ref: 00412F2A
        • Part of subcall function 00472D10: GetLastError.KERNEL32 ref: 00472DA7
      • CloseHandle.KERNEL32 ref: 00432E65
      Strings
      • `hJ, xrefs: 004330B7
      • thread name may not contain interior null bytes, xrefs: 004330C3
      • RAYON_NUM_THREADSRAYON_RS_NUM_CPUSThreadPoolBuildError, xrefs: 004324D3
      • 6`J, xrefs: 00432AA0
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: memcpy$AllocCloseErrorHandleHeapInfoLastSystem
      • String ID: 6`J$RAYON_NUM_THREADSRAYON_RS_NUM_CPUSThreadPoolBuildError$`hJ$thread name may not contain interior null bytes
      • API String ID: 1257019547-2802671382
      • Opcode ID: 7bee79a52ec50498139701627d6463c508d9d987499d0aa4fec356b41b75a5bb
      • Instruction ID: 3f82ec14c7e7bfdfa48546c3881b054d12e9088e25b8b4e33d1bb718ddc73891
      • Opcode Fuzzy Hash: 7bee79a52ec50498139701627d6463c508d9d987499d0aa4fec356b41b75a5bb
      • Instruction Fuzzy Hash: 31826832209BC481D6758B16E9513EEB3A4F798B84F44921ADFCC17B59DF78C296CB04
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00465BD0 Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 439COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: ErrorLast$FullNamePath
      • String ID: \\?\\\?\UNC\$combase.dll$internal error: entered unreachable codecalled `Option::unwrap()` on a `None` value
      • API String ID: 2482867836-213592486
      • Opcode ID: 2a2c4a07f3f68e773469f9894b9d14b0e4bd5e32229247b2956a9dd0707d42fb
      • Instruction ID: 30ee45dd72bba7fed295efdf1bc4c45e79db868138c9ec5f126d603b4136bae7
      • Opcode Fuzzy Hash: 2a2c4a07f3f68e773469f9894b9d14b0e4bd5e32229247b2956a9dd0707d42fb
      • Instruction Fuzzy Hash: 2302FF72608F9081DB20DF16E4443AAA365F395B98F558127EF8D47B95EF7CC882C70A
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0046B300 Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 408COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: CloseEnvironmentHandleStrings
      • String ID: (PJ$HOJ
      • API String ID: 1140201626-3485663183
      • Opcode ID: 78d2b50b89c3cbaa5646d969c42b150eccc015a282df274e70696273c01afc07
      • Instruction ID: ac2b519b0e1ac70965876836fbebb35ee79271b7975338f3fb3bb132f1740f87
      • Opcode Fuzzy Hash: 78d2b50b89c3cbaa5646d969c42b150eccc015a282df274e70696273c01afc07
      • Instruction Fuzzy Hash: C202BF72219BC4C5DA319B12E4443EBA3A4F784B98F044227DF9987B95EF7CC486C74A
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0047A670 Relevance: 17.1, APIs: 5, Strings: 6, Instructions: 640COMMON
      Download Yara Rule
      APIs
      Strings
      • ^gJ, xrefs: 0047B337
      • 0bJ, xrefs: 0047B256
      • /,@, xrefs: 0047B34A
      • cannot access a Thread Local Storage value during or after destructionNtHgFDtekXONzqhlFlQwLwBSoWxHXrIjNcystVojTfNFroAqTbGPwlPIbUHSugSQZpuLwvTbziGpjRB, xrefs: 0047B343
      • assertion failed: mid <= self.len(), xrefs: 0047B311
      • 0bJ, xrefs: 0047B243
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: memcpy
      • String ID: /,@$0bJ$0bJ$^gJ$assertion failed: mid <= self.len()$cannot access a Thread Local Storage value during or after destructionNtHgFDtekXONzqhlFlQwLwBSoWxHXrIjNcystVojTfNFroAqTbGPwlPIbUHSugSQZpuLwvTbziGpjRB
      • API String ID: 3510742995-1808124256
      • Opcode ID: 96b41d71f21b742d6d5581e74bc061aa7c5e5d193beb206a8a07060d98f87ff4
      • Instruction ID: 6b19871d81a003402ee28722acced8ebb94bd5e86cce7460628a3ce4b8b9eac9
      • Opcode Fuzzy Hash: 96b41d71f21b742d6d5581e74bc061aa7c5e5d193beb206a8a07060d98f87ff4
      • Instruction Fuzzy Hash: 77624672618BC482D6718B16E4803EEB3A4F799B88F54921ADBCD03B59DF3CC295CB45
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00471D50 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 238memorythreadCOMMON
      Download Yara Rule
      APIs
      • HeapReAlloc.KERNEL32 ref: 00471E13
      • InitializeProcThreadAttributeList.KERNEL32 ref: 00471E57
      • UpdateProcThreadAttribute.KERNEL32 ref: 00471EB9
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: AttributeProcThread$AllocHeapInitializeListUpdate
      • String ID: @aJ$@aJ$called `Option::unwrap()` on a `None` value$nPJ
      • API String ID: 561812158-3811350012
      • Opcode ID: c57f15080fc914575f66139c511934b952d355a87820bb947208cb707cc60fab
      • Instruction ID: 078d98dd071ccb76006127b7cb4a02eca804e3e57d5e9f5b08d761404dd204e4
      • Opcode Fuzzy Hash: c57f15080fc914575f66139c511934b952d355a87820bb947208cb707cc60fab
      • Instruction Fuzzy Hash: F071137131168081DE14AB2B96017FA6351FB96BE8F94C627EE6E173E5DE7DC482C308
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00416430 Relevance: 14.4, Strings: 11, Instructions: 654COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID:
      • String ID: XqI$assertion failed: d.mant + d.plus < (1 << 61)$assertion failed: d.mant > 0$assertion failed: d.mant.checked_add(d.plus).is_some()$assertion failed: d.mant.checked_sub(d.minus).is_some()$assertion failed: d.minus > 0$assertion failed: d.plus > 0$assertion failed: digits < 40assertion failed: other > 0$assertion failed: edelta >= 0librarykJRZbZeQRcKnOfHoqhgGppuJVO$attempt to divide by zero$mSI
      • API String ID: 0-3500061563
      • Opcode ID: 8abdf5cbc469555aa135c3de65ef49a4f92b9e1e76d17b78ab0095280534fb6e
      • Instruction ID: 4ecf5f77c114069e23e8f9450c712fde8c174ddc81cfebebbb63676abee065de
      • Opcode Fuzzy Hash: 8abdf5cbc469555aa135c3de65ef49a4f92b9e1e76d17b78ab0095280534fb6e
      • Instruction Fuzzy Hash: DA32C1B2728BC483EA24CF55E8447EAA321F7957C4F549126EE8D17B58DB3CC686C708
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00479B50 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 377COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: Value$CryptRandom
      • String ID: Authenti$GenuineI$HygonGen
      • API String ID: 658332386-696657513
      • Opcode ID: c28ec390998bd561396ea2ed198efac9356ab020b7d08a3d948b6cb7578381f0
      • Instruction ID: a4fd6dbc48a3e04fcafda16ac339eb8c051582e7a21503e6d3b8434fc60d1e53
      • Opcode Fuzzy Hash: c28ec390998bd561396ea2ed198efac9356ab020b7d08a3d948b6cb7578381f0
      • Instruction Fuzzy Hash: 87B1AAB3724A5002FB198B56FC12BEA5991B398BC4F04A43AEE8F97B85D97CCD11C344
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004084DE Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 257COMMON
      Download Yara Rule
      APIs
      • ReleaseSRWLockExclusive.KERNEL32 ref: 00408508
      Strings
      • Total CP, xrefs: 00408674
      • task_idx86386amd64usernameprocess_nameexecutablepidparent_process_nameppidarch, xrefs: 004085B1
      • pipe_nameexecuteEhfeYJEicXvOOqC, xrefs: 004085E1
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: ExclusiveLockRelease
      • String ID: Total CP$pipe_nameexecuteEhfeYJEicXvOOqC$task_idx86386amd64usernameprocess_nameexecutablepidparent_process_nameppidarch
      • API String ID: 1766480654-2153574380
      • Opcode ID: 464667add6c0a92f415aa837c75afd23d716ac2ebcd98429b06307037bfa5985
      • Instruction ID: 07a0a740a492b08302547c94c589df81ac7fc436f6ec61fa6e0a160ef2e1bdd7
      • Opcode Fuzzy Hash: 464667add6c0a92f415aa837c75afd23d716ac2ebcd98429b06307037bfa5985
      • Instruction Fuzzy Hash: 7BC19E32608BC592E7359F26E9453EA73A4F795788F40822AEBC817B59DF3CC195C704
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00408545 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 250nativeCOMMON
      Download Yara Rule
      APIs
      • ReleaseSRWLockExclusive.KERNEL32 ref: 0040856D
      • GlobalMemoryStatusEx.KERNEL32 ref: 00408749
      • K32GetPerformanceInfo.KERNEL32 ref: 0040879D
      • PdhOpenQueryA.PDH ref: 00408832
      • PdhCollectQueryData.PDH ref: 00408A56
      • NtQuerySystemInformation.NTDLL ref: 00408BEB
        • Part of subcall function 0047A108: memcpy.NTDLL ref: 0047A17C
      Strings
      • Total CP, xrefs: 00408674
      • task_idx86386amd64usernameprocess_nameexecutablepidparent_process_nameppidarch, xrefs: 004085B1
      • pipe_nameexecuteEhfeYJEicXvOOqC, xrefs: 004085E1
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: Query$CollectDataExclusiveGlobalInfoInformationLockMemoryOpenPerformanceReleaseStatusSystemmemcpy
      • String ID: Total CP$pipe_nameexecuteEhfeYJEicXvOOqC$task_idx86386amd64usernameprocess_nameexecutablepidparent_process_nameppidarch
      • API String ID: 2760678902-2153574380
      • Opcode ID: 176540238da0be68c93818961e96c410285098a3032a4759dca37acff04cb735
      • Instruction ID: 10757785c111c9ee6d07a455ad8c0bc9a966eda7ec875da2f872c32063e01a68
      • Opcode Fuzzy Hash: 176540238da0be68c93818961e96c410285098a3032a4759dca37acff04cb735
      • Instruction Fuzzy Hash: 2BC1AB32608BC492E7259F26E9453EEB3A4F794788F40822AEBC817B59DF7CC195C704
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004084D9 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 247COMMON
      Download Yara Rule
      APIs
      • ReleaseSRWLockExclusive.KERNEL32 ref: 0040856D
      • GlobalMemoryStatusEx.KERNEL32 ref: 00408749
      Strings
      • Total CP, xrefs: 00408674
      • task_idx86386amd64usernameprocess_nameexecutablepidparent_process_nameppidarch, xrefs: 004085B1
      • pipe_nameexecuteEhfeYJEicXvOOqC, xrefs: 004085E1
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: ExclusiveGlobalLockMemoryReleaseStatus
      • String ID: Total CP$pipe_nameexecuteEhfeYJEicXvOOqC$task_idx86386amd64usernameprocess_nameexecutablepidparent_process_nameppidarch
      • API String ID: 738436483-2153574380
      • Opcode ID: 8deb8d79ec7fd4035e208e9c4aaf1c1440be276fc4a78abd1d666172f228c977
      • Instruction ID: 92f3cc1d1f598b98df1270f60a7a26e7f9258f862764d960406ac34d791a9968
      • Opcode Fuzzy Hash: 8deb8d79ec7fd4035e208e9c4aaf1c1440be276fc4a78abd1d666172f228c977
      • Instruction Fuzzy Hash: 71C19D32608BC492E7259F26E9413EEB3A4F795788F40922AEBC817B59DF7CC195C704
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041FA00 Relevance: 12.4, Strings: 9, Instructions: 1170COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID:
      • String ID: /,@$Error$assertion failed: lookahead_size >= len_to_move$called `Result::unwrap()` on an `Err` value$combase.dll$description$internal_code$os_error$unknown_codeOS Error:
      • API String ID: 0-4047826160
      • Opcode ID: b20d8107d4e0bece5f6f73efc11995af06448a61e890d4d4dcb13c04e23c0a51
      • Instruction ID: 8f56a47f54b4ea51408c27558706ee0887c6f7ea7e22772b53a53aee5b195e6e
      • Opcode Fuzzy Hash: b20d8107d4e0bece5f6f73efc11995af06448a61e890d4d4dcb13c04e23c0a51
      • Instruction Fuzzy Hash: BBB2ADB2708BE486DB21CB16F44479AB7A5F388B88F854127EE8E43B55DB7CC585CB04
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00471040 Relevance: 12.2, APIs: 8, Instructions: 213COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: ErrorLast$FullNamePath$memcmp
      • String ID:
      • API String ID: 1351486824-0
      • Opcode ID: f08ab2d5bc32e7ea6b143c3976bb1a1e60f1f2dc4b6b81ba515ad63781b3c55e
      • Instruction ID: 275f9865ff0a1fefb3bb262572ad6bebfdeec3420608257e38cdf7a5f78aa040
      • Opcode Fuzzy Hash: f08ab2d5bc32e7ea6b143c3976bb1a1e60f1f2dc4b6b81ba515ad63781b3c55e
      • Instruction Fuzzy Hash: 7A712662614BC085DB209F26E84435BA7A0F3957E8F14C21BEE9D43BA4EB7CC5C4D709
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00405A2B Relevance: 11.0, Strings: 8, Instructions: 1040COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID:
      • String ID: 8zJ$Failed to allocate security descriptorthis should never fail$[L@$`async fn` resumed after completion$combase.dll$log_type$msg$pipe_nameexecuteEhfeYJEicXvOOqC
      • API String ID: 0-2785384733
      • Opcode ID: f07f855762758ada22336ef9930abd24a6c353f1b30ac70cdc2b8e47cf2b71af
      • Instruction ID: bbceb007dc196dce14560fd8731d8139b0bad1c59058324a1d91f7fb3361c32d
      • Opcode Fuzzy Hash: f07f855762758ada22336ef9930abd24a6c353f1b30ac70cdc2b8e47cf2b71af
      • Instruction Fuzzy Hash: C2B26632608BC485EB21DF26E4443EA73A4F798B88F45822ADF8D57B99DF38C195C714
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004084D4 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 247COMMON
      Download Yara Rule
      APIs
      • GlobalMemoryStatusEx.KERNEL32 ref: 00408749
      Strings
      • Total CP, xrefs: 00408674
      • task_idx86386amd64usernameprocess_nameexecutablepidparent_process_nameppidarch, xrefs: 004085B1
      • pipe_nameexecuteEhfeYJEicXvOOqC, xrefs: 004085E1
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: GlobalMemoryStatus
      • String ID: Total CP$pipe_nameexecuteEhfeYJEicXvOOqC$task_idx86386amd64usernameprocess_nameexecutablepidparent_process_nameppidarch
      • API String ID: 1890195054-2153574380
      • Opcode ID: 9234dc470fdee6aef3ebbfda8c1943d451153276e507b85ec5e30c7f4e94282a
      • Instruction ID: 26279a8787bba287d2cc8c32d53bc1a6fdf06d6fccbb7944b0222aeca7f1e130
      • Opcode Fuzzy Hash: 9234dc470fdee6aef3ebbfda8c1943d451153276e507b85ec5e30c7f4e94282a
      • Instruction Fuzzy Hash: C5C19D32608BC592E7259F22E9413EEB3A4F795788F40822AEBC817B59DF7CC195C744
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00408531 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 244nativeCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 004894A0: RtlCaptureContext.KERNEL32 ref: 00489525
        • Part of subcall function 004894A0: RtlUnwindEx.KERNEL32 ref: 00489543
        • Part of subcall function 004894A0: abort.MSVCRT ref: 00489549
        • Part of subcall function 004894A0: abort.MSVCRT ref: 00489560
        • Part of subcall function 0043BACE: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0043BB03
        • Part of subcall function 0047E1D6: memset.NTDLL ref: 0047E26C
      • GlobalMemoryStatusEx.KERNEL32 ref: 00408749
      • K32GetPerformanceInfo.KERNEL32 ref: 0040879D
      • PdhOpenQueryA.PDH ref: 00408832
      • PdhCollectQueryData.PDH ref: 00408A56
      • NtQuerySystemInformation.NTDLL ref: 00408BEB
        • Part of subcall function 0047A108: memcpy.NTDLL ref: 0047A17C
      Strings
      • Total CP, xrefs: 00408674
      • task_idx86386amd64usernameprocess_nameexecutablepidparent_process_nameppidarch, xrefs: 004085B1
      • pipe_nameexecuteEhfeYJEicXvOOqC, xrefs: 004085E1
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: Query$abortmemcpy$CaptureCollectContextDataGlobalInfoInformationMemoryOpenPerformanceStatusSystemUnwindmemset
      • String ID: Total CP$pipe_nameexecuteEhfeYJEicXvOOqC$task_idx86386amd64usernameprocess_nameexecutablepidparent_process_nameppidarch
      • API String ID: 3142878841-2153574380
      • Opcode ID: c88968f6800bbefae9ed7fe7614994091aaf570964a3b1bc79031ec9175e44ee
      • Instruction ID: dc43559bfaec0981f9a46a07b524b3d593fab1db2a7dde770e72cac3fa4b0e38
      • Opcode Fuzzy Hash: c88968f6800bbefae9ed7fe7614994091aaf570964a3b1bc79031ec9175e44ee
      • Instruction Fuzzy Hash: 17C18D32608BC492E7259F22E9413EAB3A4F795788F40922AEB8817B59DF7CC195C744
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00408543 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 238nativeCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 0043BACE: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0043BB03
        • Part of subcall function 0047E1D6: memset.NTDLL ref: 0047E26C
      • GlobalMemoryStatusEx.KERNEL32 ref: 00408749
      • K32GetPerformanceInfo.KERNEL32 ref: 0040879D
      • PdhOpenQueryA.PDH ref: 00408832
      • PdhCollectQueryData.PDH ref: 00408A56
      • NtQuerySystemInformation.NTDLL ref: 00408BEB
        • Part of subcall function 0047A108: memcpy.NTDLL ref: 0047A17C
      Strings
      • Total CP, xrefs: 00408674
      • task_idx86386amd64usernameprocess_nameexecutablepidparent_process_nameppidarch, xrefs: 004085B1
      • pipe_nameexecuteEhfeYJEicXvOOqC, xrefs: 004085E1
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: Query$memcpy$CollectDataGlobalInfoInformationMemoryOpenPerformanceStatusSystemmemset
      • String ID: Total CP$pipe_nameexecuteEhfeYJEicXvOOqC$task_idx86386amd64usernameprocess_nameexecutablepidparent_process_nameppidarch
      • API String ID: 539917485-2153574380
      • Opcode ID: 5f3f2d71f00a3e0ea9dafd8aaa1c4634a445abb242b8038d99fa91fd29a4f026
      • Instruction ID: ef0ea50663a86cba3bb849bceddebc52b881401e56ed3fc7ca72e7b24c8e84c7
      • Opcode Fuzzy Hash: 5f3f2d71f00a3e0ea9dafd8aaa1c4634a445abb242b8038d99fa91fd29a4f026
      • Instruction Fuzzy Hash: 27C1AF32608BC492E7359F22E9413EAB3A4F794788F40922AEBC817B59DF7CC195C744
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040852D Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 238nativeCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 0043BACE: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0043BB03
        • Part of subcall function 0047E1D6: memset.NTDLL ref: 0047E26C
      • GlobalMemoryStatusEx.KERNEL32 ref: 00408749
      • K32GetPerformanceInfo.KERNEL32 ref: 0040879D
      • PdhOpenQueryA.PDH ref: 00408832
      • PdhCollectQueryData.PDH ref: 00408A56
      • NtQuerySystemInformation.NTDLL ref: 00408BEB
        • Part of subcall function 0047A108: memcpy.NTDLL ref: 0047A17C
      Strings
      • Total CP, xrefs: 00408674
      • task_idx86386amd64usernameprocess_nameexecutablepidparent_process_nameppidarch, xrefs: 004085B1
      • pipe_nameexecuteEhfeYJEicXvOOqC, xrefs: 004085E1
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: Query$memcpy$CollectDataGlobalInfoInformationMemoryOpenPerformanceStatusSystemmemset
      • String ID: Total CP$pipe_nameexecuteEhfeYJEicXvOOqC$task_idx86386amd64usernameprocess_nameexecutablepidparent_process_nameppidarch
      • API String ID: 539917485-2153574380
      • Opcode ID: 2b06c006df3ae58201a58db0c3ce261306c72a48083e7486120eac3941eb25f9
      • Instruction ID: ef0ea50663a86cba3bb849bceddebc52b881401e56ed3fc7ca72e7b24c8e84c7
      • Opcode Fuzzy Hash: 2b06c006df3ae58201a58db0c3ce261306c72a48083e7486120eac3941eb25f9
      • Instruction Fuzzy Hash: 27C1AF32608BC492E7359F22E9413EAB3A4F794788F40922AEBC817B59DF7CC195C744
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040852F Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 238nativeCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 0043BACE: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0043BB03
        • Part of subcall function 0047E1D6: memset.NTDLL ref: 0047E26C
      • GlobalMemoryStatusEx.KERNEL32 ref: 00408749
      • K32GetPerformanceInfo.KERNEL32 ref: 0040879D
      • PdhOpenQueryA.PDH ref: 00408832
      • PdhCollectQueryData.PDH ref: 00408A56
      • NtQuerySystemInformation.NTDLL ref: 00408BEB
        • Part of subcall function 0047A108: memcpy.NTDLL ref: 0047A17C
      Strings
      • Total CP, xrefs: 00408674
      • task_idx86386amd64usernameprocess_nameexecutablepidparent_process_nameppidarch, xrefs: 004085B1
      • pipe_nameexecuteEhfeYJEicXvOOqC, xrefs: 004085E1
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: Query$memcpy$CollectDataGlobalInfoInformationMemoryOpenPerformanceStatusSystemmemset
      • String ID: Total CP$pipe_nameexecuteEhfeYJEicXvOOqC$task_idx86386amd64usernameprocess_nameexecutablepidparent_process_nameppidarch
      • API String ID: 539917485-2153574380
      • Opcode ID: 7058c7034581ca28802e0d8b6293b72b1eb729dffda87f9cf81c61a599ad45ed
      • Instruction ID: ef0ea50663a86cba3bb849bceddebc52b881401e56ed3fc7ca72e7b24c8e84c7
      • Opcode Fuzzy Hash: 7058c7034581ca28802e0d8b6293b72b1eb729dffda87f9cf81c61a599ad45ed
      • Instruction Fuzzy Hash: 27C1AF32608BC492E7359F22E9413EAB3A4F794788F40922AEBC817B59DF7CC195C744
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00414EF0 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 146COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: memcpy
      • String ID: XqI$assertion failed: d.mant > 0$assertion failed: d.mant.checked_add(d.plus).is_some()$assertion failed: d.mant.checked_sub(d.minus).is_some()$assertion failed: noborrowassertion failed: digits < 40assertion failed: other > 0$attempt to divide by zero
      • API String ID: 3510742995-1079322299
      • Opcode ID: a0726b72fd42acb2be6a32c910a510b4a5ee74d9cbc6d5abf2390729f42da190
      • Instruction ID: b5fd0c239dffc6f4c024912a3827d6d02de55439221ade1548b15558f9b13649
      • Opcode Fuzzy Hash: a0726b72fd42acb2be6a32c910a510b4a5ee74d9cbc6d5abf2390729f42da190
      • Instruction Fuzzy Hash: DC51347271198482EA21CF49E4067EAAB60FBD9798F845222EE4A13714EB3DC4C7C748
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0042B09E Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 411pipeCOMMON
      Download Yara Rule
      APIs
      • CreateNamedPipeW.KERNEL32 ref: 0042B2B2
        • Part of subcall function 0042918B: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00429663), ref: 0042918F
      • CreateIoCompletionPort.KERNEL32 ref: 0042B6F0
      Strings
      • I/O source already registered with a `Registry`, xrefs: 0042B5F7
      • A Tokio 1.x context was found, but it is being shutdown.tokio-1.35.1rtTaMgdSrvBWaTqavuZBjiePuQNNjlR, xrefs: 0042B413
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: Create$CompletionErrorLastNamedPipePort
      • String ID: A Tokio 1.x context was found, but it is being shutdown.tokio-1.35.1rtTaMgdSrvBWaTqavuZBjiePuQNNjlR$I/O source already registered with a `Registry`
      • API String ID: 3291731705-964732226
      • Opcode ID: 7d63d7f8508027f4270501665bc37301e3cb085897d23f77740b4ed7f005ae39
      • Instruction ID: 10f273c2621d6e923e38f933d997dccbab1db8d3ed61a391ee324368608da8bf
      • Opcode Fuzzy Hash: 7d63d7f8508027f4270501665bc37301e3cb085897d23f77740b4ed7f005ae39
      • Instruction Fuzzy Hash: 3602BC72708BE082D6219B12F9457AEB364F788BD8F85811AEF8807B59DF7CD196C344
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0047EC69 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 400COMMON
      Download Yara Rule
      APIs
      Strings
      • @cJ, xrefs: 0047EFF3
      • unknownassertion failed: successwhoami-1.4.1rpUTXVNtgMtVRvf, xrefs: 0047F012
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: memcpy$InfoSystem
      • String ID: @cJ$unknownassertion failed: successwhoami-1.4.1rpUTXVNtgMtVRvf
      • API String ID: 1915069931-758613265
      • Opcode ID: cfad1fe49c0a25114a1725378b2895204149031213f1e83c154316982008ed72
      • Instruction ID: 69c8291c33510151f9bb9e59486e2f087185aa7b81f05055e32edd3704916ce9
      • Opcode Fuzzy Hash: cfad1fe49c0a25114a1725378b2895204149031213f1e83c154316982008ed72
      • Instruction Fuzzy Hash: D2F16A72219BC082EA65DB16E4403EEB3A1F789BD4F54822ADE8D57B59DF3CC486C704
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004354CA Relevance: 9.0, Strings: 7, Instructions: 282COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID:
      • String ID: 33333333$33333333$33333333$TUUUUUUU$UUUUUUUU$UUUUUUUU$UUUUUUUU
      • API String ID: 0-2965141230
      • Opcode ID: 1e44499c212fb8fbee31e1e7a531388030ce6e2981c0f14be80162a3e244dd93
      • Instruction ID: b5c0bf08b0b0d5317c3eb6119ec9fe64faaa4ec9fa950206d0996386c78151bc
      • Opcode Fuzzy Hash: 1e44499c212fb8fbee31e1e7a531388030ce6e2981c0f14be80162a3e244dd93
      • Instruction Fuzzy Hash: 02814693721B5842ED04DB03A4263AA5B62F789FF4749E436DE6E57B88DD3CE106C301
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0047BD62 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 169COMMON
      Download Yara Rule
      APIs
      • OpenProcessToken.ADVAPI32 ref: 0047BDB5
        • Part of subcall function 00488B6F: GetLastError.KERNEL32 ref: 00488B73
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: ErrorLastOpenProcessToken
      • String ID: 0eJ$combase.dll$qeJ
      • API String ID: 2961703104-2598768502
      • Opcode ID: a3920525b52a742c3562ae5cc86934abfc3b3934d5b7048ec3ac606ad3727cad
      • Instruction ID: 2d9247164c9308ca73f0933d2b0a5b8e40990735d9783685a64ec0d20f1f9775
      • Opcode Fuzzy Hash: a3920525b52a742c3562ae5cc86934abfc3b3934d5b7048ec3ac606ad3727cad
      • Instruction Fuzzy Hash: 4851CB6270470082DB18EB2298453EE6360FB86F98F98C52BEE4D977A5DF3DC4858749
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0048F830 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: Library$AddressFreeLoadProc
      • String ID: AddVectoredExceptionHandler$kernel32.dll
      • API String ID: 145871493-3472422323
      • Opcode ID: ab37f468bea37ba46b4a664bc76add9a2c6e4178b501be442a672e524db67aac
      • Instruction ID: 0eea77c9171ebbfe8c08dfcea84eb41c8a8d21199cbd13515ecbc40085fc2254
      • Opcode Fuzzy Hash: ab37f468bea37ba46b4a664bc76add9a2c6e4178b501be442a672e524db67aac
      • Instruction Fuzzy Hash: 66F0ED94702A1291EF19BB53BC547276294BB5DBCDF84582A8D2E07350EF3CE559C309
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00441000 Relevance: 8.2, Strings: 6, Instructions: 744COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: memcmp
      • String ID: .llvm./OiMaDBRllUmmrxLJPqTGLaglesdVyVFFgSaayyPGbI$Y#J$Y#J$Y#J$__ZN$`fmt::Error`s should be impossible without a `fmt::Formatter`
      • API String ID: 1475443563-657663821
      • Opcode ID: a9fbf98e65a0da690d528a7e7cef880fdab51d7bf43ce19cd081426010f3b092
      • Instruction ID: 84714ee40e54b8e11084452afd1c5b8bb096dfd15543b4d1b85f2fcfee379188
      • Opcode Fuzzy Hash: a9fbf98e65a0da690d528a7e7cef880fdab51d7bf43ce19cd081426010f3b092
      • Instruction Fuzzy Hash: 3A426A63619AE081FB258B15A4143AABB61F3867E0F454213EEAA077F4DB7CC9C5C709
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041B810 Relevance: 8.0, Strings: 6, Instructions: 478COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID:
      • String ID: 'jI$0$0$00000000$XdI$attempt to divide by zero
      • API String ID: 0-3811247818
      • Opcode ID: d49143d972736a046fde8eab027f74fdcffa779296a7720396c4f371e3f1df56
      • Instruction ID: c88297406210c34f85b7c38ee61fad107e0b4f879bc99359aaeb265eacd88112
      • Opcode Fuzzy Hash: d49143d972736a046fde8eab027f74fdcffa779296a7720396c4f371e3f1df56
      • Instruction Fuzzy Hash: 6302F072718B8082DB21CB15F4403DAB7A6F795390F548227EE8947FA8DB7CC586C789
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00430FB4 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 152COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00430554: memcpy.NTDLL ref: 0043058C
      • memcpy.NTDLL ref: 00431229
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: memcpy
      • String ID: arenegyl$modnarod$setybdet$uespemos
      • API String ID: 3510742995-66988881
      • Opcode ID: d6a961b00d81f5459af3c09f95c94ab5543153d716f2545fabc39b2ee1db5838
      • Instruction ID: 86a60e7317e0fb74e0ed9b0f614f15c1a1cd60536e454e189f311c5492e6ad96
      • Opcode Fuzzy Hash: d6a961b00d81f5459af3c09f95c94ab5543153d716f2545fabc39b2ee1db5838
      • Instruction Fuzzy Hash: 2E519172709BC481EAA1CB29B9553EAB3A5F7887D8F409226DECC47B59DF38C195C700
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0048E400 Relevance: 7.6, APIs: 5, Instructions: 56timethreadCOMMON
      Download Yara Rule
      APIs
      • GetSystemTimeAsFileTime.KERNEL32 ref: 0048E445
      • GetCurrentProcessId.KERNEL32 ref: 0048E450
      • GetCurrentThreadId.KERNEL32 ref: 0048E459
      • GetTickCount.KERNEL32 ref: 0048E461
      • QueryPerformanceCounter.KERNEL32 ref: 0048E46E
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
      • String ID:
      • API String ID: 1445889803-0
      • Opcode ID: 61f4a9df2537ea37a6e3898f23504ad59bfee1fa9fc981564dd512a909282612
      • Instruction ID: dc8478db8f4840bae8e2509db5a9fd150e89d561178b5d4015606a2eec34f6ac
      • Opcode Fuzzy Hash: 61f4a9df2537ea37a6e3898f23504ad59bfee1fa9fc981564dd512a909282612
      • Instruction Fuzzy Hash: E9119EA6711A1086FB606B25FC0831A73A0B748BB4F480B75DE9C437A4DF3CD886C308
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00441BF0 Relevance: 7.0, Strings: 5, Instructions: 767COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID:
      • String ID: )Unknown ($,(><&*@$::_$$called `Option::unwrap()` on a `None` value$called `Result::unwrap()` on an `Err` value
      • API String ID: 0-4065487196
      • Opcode ID: ae1fbbd06b84d83adae7b4527875302d652ac62faa9584a3f976ec999ffd1f91
      • Instruction ID: d289d34936cf44d9f71101c7ea7d750c372a470426191d9084b260b0739150fe
      • Opcode Fuzzy Hash: ae1fbbd06b84d83adae7b4527875302d652ac62faa9584a3f976ec999ffd1f91
      • Instruction Fuzzy Hash: 6042AAB63246A041FB388B21EA4476B6B52F3467D4F844207EE5A07BB4DB7CC586D709
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0043883F Relevance: 6.9, APIs: 5, Instructions: 615COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: memcpy$memset
      • String ID:
      • API String ID: 438689982-0
      • Opcode ID: 3cbf7954c7ac19cd872a36c18ecd42f4e006e4b3d351482e5bacb20065a5abe3
      • Instruction ID: ecbd55fc89aae40571085766d48310d3a66aa81d59db8928474ced0804f6ef96
      • Opcode Fuzzy Hash: 3cbf7954c7ac19cd872a36c18ecd42f4e006e4b3d351482e5bacb20065a5abe3
      • Instruction Fuzzy Hash: 8E32A7B2A14FC541E712AB36A4037EAE310EBDA7C4F409316EEC577A5ADB6CD2469304
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0043132E Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 321threadCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: SwitchThread
      • String ID:
      • API String ID: 115865932-3916222277
      • Opcode ID: 80c3090f468f8ab63ea3e105ee428b631cf45ff8f7dcd9be1069169cde2a23fb
      • Instruction ID: d43db5c1f59473ec999592a8865e8f4c4d07295c1afe12a09e4f7b6d4ba668bf
      • Opcode Fuzzy Hash: 80c3090f468f8ab63ea3e105ee428b631cf45ff8f7dcd9be1069169cde2a23fb
      • Instruction Fuzzy Hash: 01C1D172305B8082DA15DB12E5553AB63A1F78DBD8F48A12BEE9E4B764DF3CC481C708
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00424D7E Relevance: 5.5, APIs: 4, Instructions: 533COMMON
      Download Yara Rule
      APIs
      • memset.NTDLL(?,488945008941CB87,00000001,00000000,00000000,?,0040290E,00000000,004243FA), ref: 00424DB7
      • memset.NTDLL(?,488945008941CB87,00000001,00000000,00000000,?,0040290E,00000000,004243FA), ref: 00424DCC
      • memset.NTDLL(?,488945008941CB87,00000001,00000000,00000000,?,0040290E,00000000,004243FA), ref: 00424F07
      • memset.NTDLL(?,488945008941CB87,00000001,00000000,00000000,?,0040290E,00000000,004243FA), ref: 00424F9D
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: memset
      • String ID:
      • API String ID: 2221118986-0
      • Opcode ID: 7f335c9250b97e908343c838c2965154c49730e8cab2f3ac42cdfbf4906a71ff
      • Instruction ID: 8dbbe1f63cc60688237407ca9bc22ba41a0d747ca664d9effe832745c8639f13
      • Opcode Fuzzy Hash: 7f335c9250b97e908343c838c2965154c49730e8cab2f3ac42cdfbf4906a71ff
      • Instruction Fuzzy Hash: EB1241B2B25AB0D2DB25DB54F4047BA6321F784788FD48623DB0A53798EB7CC582C709
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00417AE0 Relevance: 5.3, Strings: 4, Instructions: 315COMMON
      Download Yara Rule
      Strings
      • assertion failed: d.mant > 0, xrefs: 00417F68
      • attempt to divide by zero, xrefs: 00417DE6
      • XqI, xrefs: 00417AE9
      • assertion failed: d.mant < (1 << 61), xrefs: 00417F82
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID:
      • String ID: XqI$assertion failed: d.mant < (1 << 61)$assertion failed: d.mant > 0$attempt to divide by zero
      • API String ID: 0-2920975873
      • Opcode ID: f6e213385f5e3645ed938b50a3447a75cc577c76f55e3499e78f3aad169f463d
      • Instruction ID: fdf9b0d7b5122ac96ed0384b7d8086ea3dbe294d1807775ab3b2d0de94ff3748
      • Opcode Fuzzy Hash: f6e213385f5e3645ed938b50a3447a75cc577c76f55e3499e78f3aad169f463d
      • Instruction Fuzzy Hash: 83A14476718B9483DF198B15F9513BA6362F784BC4F94802AEE4E07B54EB3CCA86C744
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0048327F Relevance: 5.3, Strings: 4, Instructions: 297COMMON
      Download Yara Rule
      Strings
      • A Tokio 1.x context was found, but IO is disabled. Call `enable_io` on the runtime builder to enable IO.A Tokio 1.x context was found, but timers are disabled. Call `enable_time` on the runtime builder to enable timers.Oh no! We never placed the Core back, thi, xrefs: 00483294
      • combase.dll, xrefs: 004833D2
      • +tJ, xrefs: 004836E7
      • KtJ, xrefs: 004836B7
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID:
      • String ID: +tJ$A Tokio 1.x context was found, but IO is disabled. Call `enable_io` on the runtime builder to enable IO.A Tokio 1.x context was found, but timers are disabled. Call `enable_time` on the runtime builder to enable timers.Oh no! We never placed the Core back, thi$KtJ$combase.dll
      • API String ID: 0-1648023280
      • Opcode ID: 97889389801c0df76fad06953a0a00721124a2401b0a08f572f5dc885e1c142c
      • Instruction ID: b8207f63cdcad3b28ff04baf28de24f4cc073345f2791ca60a6afbde284357e6
      • Opcode Fuzzy Hash: 97889389801c0df76fad06953a0a00721124a2401b0a08f572f5dc885e1c142c
      • Instruction Fuzzy Hash: 22C1CC72605B8082DB21EF15E8403AEB3A5F798B98F94862ADF8D47754DF3DC696C304
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004397A4 Relevance: 5.3, APIs: 4, Instructions: 252COMMON
      Download Yara Rule
      APIs
      • memcpy.NTDLL(?,?,?,?,00000000,00000007,?,?,?,?,?,?,004396D2), ref: 0043987E
      • memset.NTDLL(?,?,?,?,00000000,00000007,?,?,?,?,?,?,004396D2), ref: 00439900
      • memcpy.NTDLL(?,?,?,?,00000000,00000007,?,?,?,?,?,?,004396D2), ref: 004399D6
      • memcpy.NTDLL(?,?,?,?,00000000,00000007,?,?,?,?,?,?,004396D2), ref: 00439B15
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: memcpy$memset
      • String ID:
      • API String ID: 438689982-0
      • Opcode ID: e65aad6c6b8abc5ab80afe002dfa2931fafb2928917169ddaa4ddde3890c33a2
      • Instruction ID: 4f0a2f0dda179fc26cf5308adbcc2f687903c0ccfbf48921750c1c6dedf49876
      • Opcode Fuzzy Hash: e65aad6c6b8abc5ab80afe002dfa2931fafb2928917169ddaa4ddde3890c33a2
      • Instruction Fuzzy Hash: B091F262318B8081DE04DF2AA81526AA710F78ABF4F54571AEFBE177D8DB7CC406C304
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004242F5 Relevance: 5.1, APIs: 2, Strings: 1, Instructions: 646COMMON
      Download Yara Rule
      Strings
      • assertion failed: code < MAX_HUFF_SYMBOLS_2, xrefs: 00424D26
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: memset
      • String ID: assertion failed: code < MAX_HUFF_SYMBOLS_2
      • API String ID: 2221118986-707042715
      • Opcode ID: c2a41aa19f471dff5bec8b6854dc63d54ff3a806762e3a80ddfef0376051333c
      • Instruction ID: 938964da60f64e2201080b3ac2ffbc6a3d42b755ef6072566c2dc2608b6df070
      • Opcode Fuzzy Hash: c2a41aa19f471dff5bec8b6854dc63d54ff3a806762e3a80ddfef0376051333c
      • Instruction Fuzzy Hash: A532E4623046B482EB20DF56F8407AA6B61F7C5BC8FC54127EE8A07B99DB7CC546C748
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004334BF Relevance: 5.1, Strings: 4, Instructions: 95COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID:
      • String ID: arenegyl$modnarod$setybdet$uespemos
      • API String ID: 0-66988881
      • Opcode ID: 0e2e4ac79e97f4a3adb0fa019166014f788f7ad65e4934c0cf2dd50860d5408c
      • Instruction ID: 41aa8c295c9d3c80d8bfa506ce5fdd371d0d6f6239b88f5e3a96f88b802e9a7c
      • Opcode Fuzzy Hash: 0e2e4ac79e97f4a3adb0fa019166014f788f7ad65e4934c0cf2dd50860d5408c
      • Instruction Fuzzy Hash: 8E31E7A2704B8043FBA4DBA9B62536BE276FB553C4F50E521CFC953A09DF2CD2928344
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0047CA4A Relevance: 4.7, APIs: 3, Instructions: 214timeCOMMON
      Download Yara Rule
      APIs
      • GetSystemTimes.KERNEL32 ref: 0047CAF1
        • Part of subcall function 00488B6F: GetLastError.KERNEL32 ref: 00488B73
      • GetProcessIoCounters.KERNEL32 ref: 0047CC4E
      • GetProcessMemoryInfo.PSAPI ref: 0047CCC4
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: Process$CountersErrorInfoLastMemorySystemTimes
      • String ID:
      • API String ID: 2944460643-0
      • Opcode ID: 1518e3484bd2782c95c5f1060e862f7446bf5b54fef01aa152661e13e76017be
      • Instruction ID: 469ddaf8d0f9ae7ffedd3d88bc831b08b2eb7d791459289ab88da7a15403c85e
      • Opcode Fuzzy Hash: 1518e3484bd2782c95c5f1060e862f7446bf5b54fef01aa152661e13e76017be
      • Instruction Fuzzy Hash: 6C811562714BC492EB298B36D5813EAA761FB98794F04C61AEF9C17795EF3CD0A1C304
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00417280 Relevance: 4.1, Strings: 3, Instructions: 367COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID:
      • String ID: +NaNinf0e0assertion failed: buf.len() >= maxlen$XqI$attempt to divide by zero
      • API String ID: 0-3571489180
      • Opcode ID: 99ab7d2fa5adb3354e88939740edd84786617a36738e07e8046a0fdbe6726dba
      • Instruction ID: a5bd7c9ebf0f8c8daad028e18f8b83ebb7356ecb52877ef5e97b1c7c49d29918
      • Opcode Fuzzy Hash: 99ab7d2fa5adb3354e88939740edd84786617a36738e07e8046a0fdbe6726dba
      • Instruction Fuzzy Hash: 74C16972718B9883DA18CF65B400BDAB761F388BD0F449226EE9D57B58DB3CC586C704
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00479CA0 Relevance: 4.0, Strings: 3, Instructions: 291COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID:
      • String ID: Authenti$GenuineI$HygonGen
      • API String ID: 0-696657513
      • Opcode ID: 97c82de521e095cda28841b519dad7209233ccad7926698d449bf0ed4b5ca1da
      • Instruction ID: 7883b45e56d60f5975dde5311b82e783ca3e9b75b4eef9dd272f95bae8a0762f
      • Opcode Fuzzy Hash: 97c82de521e095cda28841b519dad7209233ccad7926698d449bf0ed4b5ca1da
      • Instruction Fuzzy Hash: B3818CA3731A9003FB198A56BD11BEA4C42A358BD4F19B139ED5FABB85D47CCE11C341
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00410F6F Relevance: 4.0, Strings: 3, Instructions: 262COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID:
      • String ID: 33333333$33333333$UUUUUUUU
      • API String ID: 0-629463729
      • Opcode ID: f95bc4fc9f0fe95432c6fe7fe7d6f0f3dc957c626e02b524f7a61251949a2eb6
      • Instruction ID: 296b82eaeb26396f230522c18e05055e28d795045825ba71ecc54f5a15c33345
      • Opcode Fuzzy Hash: f95bc4fc9f0fe95432c6fe7fe7d6f0f3dc957c626e02b524f7a61251949a2eb6
      • Instruction Fuzzy Hash: 6391B0A1314B4486F6509B62F924BD76250F389BE4F48903BEF9E17F69DE3CC586C209
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00467C10 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 368COMMON
      Download Yara Rule
      APIs
      Strings
      • internal error: entered unreachable codecalled `Option::unwrap()` on a `None` value, xrefs: 00467BAC
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: CommandLine
      • String ID: internal error: entered unreachable codecalled `Option::unwrap()` on a `None` value
      • API String ID: 3253501508-2307832163
      • Opcode ID: b12c18f3697bb5783e188227ebd4835d18fbdf670b0375a1598087101644dc8a
      • Instruction ID: 7728f8c7623ab2bfbf8561457c2605a714337b3a24afc8f2ca6b95453b9998a4
      • Opcode Fuzzy Hash: b12c18f3697bb5783e188227ebd4835d18fbdf670b0375a1598087101644dc8a
      • Instruction Fuzzy Hash: 62E1C262628B8482DB248B16E0403BBB761F79978CF545606FF8A07B59EF7CC585CB09
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0047BFDF Relevance: 3.6, APIs: 2, Instructions: 607nativeCOMMON
      Download Yara Rule
      APIs
      • NtQueryInformationProcess.NTDLL ref: 0047C087
      • NtQueryInformationProcess.NTDLL ref: 0047C1E0
        • Part of subcall function 0047CE66: wcslen.NTDLL ref: 0047CEC0
        • Part of subcall function 0047CE66: LocalFree.KERNEL32 ref: 0047CEE7
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: InformationProcessQuery$FreeLocalwcslen
      • String ID:
      • API String ID: 414701844-0
      • Opcode ID: 1813fb307c56ac4eedddedeb7be9ec27132141ba5c3f6a8ca23b1bf87d9edf69
      • Instruction ID: f21afbf0180f204848dbedbbbb1efcb07f3ee5cbf003c94b0d259d6c981466b1
      • Opcode Fuzzy Hash: 1813fb307c56ac4eedddedeb7be9ec27132141ba5c3f6a8ca23b1bf87d9edf69
      • Instruction Fuzzy Hash: AB428162618BC082DA24DB22A4843EFA761F786B88F44C11BEF8D57B55DF7CC189D748
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00411A8C Relevance: 3.5, Strings: 2, Instructions: 963COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID:
      • String ID: 33333333$UUUUUUUU
      • API String ID: 0-3483174168
      • Opcode ID: 46baf53646f265fab371f7c6721777ed7f915a8f7d45b7802b79bd0ac064ac85
      • Instruction ID: 0a071b0de3450c231dd36477c2ccc71a6c974c4b361aaac83125896d4256ecdd
      • Opcode Fuzzy Hash: 46baf53646f265fab371f7c6721777ed7f915a8f7d45b7802b79bd0ac064ac85
      • Instruction Fuzzy Hash: 596226633197D446EA14CFA679606EBAB51F769BC0F44A02ADF8C97B06CE3CD656C300
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0043CE50 Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 415COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: memset
      • String ID: punycode{-0
      • API String ID: 2221118986-3751456247
      • Opcode ID: 321d999fd51e26f805c0f6eebe461a3935c0d7732bc3d87b501a4a94798b45d8
      • Instruction ID: 373d71ff763a2bc482054e578264f89d67005aeecf05f95f7bcf4563638b293d
      • Opcode Fuzzy Hash: 321d999fd51e26f805c0f6eebe461a3935c0d7732bc3d87b501a4a94798b45d8
      • Instruction Fuzzy Hash: 03D12662B1868486EF24CB16F4447ABA752F39DBD4F44A123DE8D03B98DB3CD956C708
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0047CF27 Relevance: 3.1, APIs: 2, Instructions: 91nativeCOMMON
      Download Yara Rule
      APIs
      • NtQueryInformationProcess.NTDLL ref: 0047CF53
      • NtQueryInformationProcess.NTDLL ref: 0047CFFC
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: InformationProcessQuery
      • String ID:
      • API String ID: 1778838933-0
      • Opcode ID: eb016d4c8b7d49d121b62bf2653c45d848ef442e869e947b6cd84e45a8a07002
      • Instruction ID: 1d9733a0bfb62f1a90f19336173681d77bc11c300ab6289356b32fbc266be765
      • Opcode Fuzzy Hash: eb016d4c8b7d49d121b62bf2653c45d848ef442e869e947b6cd84e45a8a07002
      • Instruction Fuzzy Hash: 3831AE22315A8082DA14DE12EA4479EB362FB85BC8F58D02AEF8D47B58EF3CC581C704
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0042FF42 Relevance: 3.1, APIs: 2, Instructions: 62COMMON
      Download Yara Rule
      APIs
      • BCryptGenRandom.BCRYPT(?,?,?,?,?,?,?,?,004354AE), ref: 0042FF87
      • SystemFunction036.ADVAPI32(?,?,?,?,?,?,?,?,004354AE), ref: 0042FF9B
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: CryptFunction036RandomSystem
      • String ID:
      • API String ID: 1232939966-0
      • Opcode ID: 2a83835d96c2ce5615055b01b708d90b6e19b4c6f58fdbcccf5eb59f6d80664e
      • Instruction ID: 5d4319fcb26b7caf40f679439ac2a15c3c0bd8e5db73560caefb519d723246d2
      • Opcode Fuzzy Hash: 2a83835d96c2ce5615055b01b708d90b6e19b4c6f58fdbcccf5eb59f6d80664e
      • Instruction Fuzzy Hash: 1E01685230007009FE29666B7E04B6A84912B4ABF4F9A42375E2C4BBD4E43CC8C7830C
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00434C66 Relevance: 2.9, APIs: 2, Instructions: 361COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: memcpy
      • String ID:
      • API String ID: 3510742995-0
      • Opcode ID: a8704fd37a76cc091c24c8854490feac14f23b842586395b0ded2e87eed1d57f
      • Instruction ID: aca80dab6b6330e5454cd33ed11f5ba701ca210a19d8cf6061e4de21c9cb235e
      • Opcode Fuzzy Hash: a8704fd37a76cc091c24c8854490feac14f23b842586395b0ded2e87eed1d57f
      • Instruction Fuzzy Hash: 6B027212918BC481E7724B2DA4063FAE360FFDD798F186712DEC426B65EB79D2868704
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041C330 Relevance: 2.8, Strings: 2, Instructions: 347COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID:
      • String ID: +NaNinf0e0assertion failed: buf.len() >= maxlen$combase.dll
      • API String ID: 0-3096168635
      • Opcode ID: a25525432983313e2b03e1f02b0358e67586244f16374f506d16d19cb98aaabd
      • Instruction ID: 98495fc73ff1b633c01a5af0d874ff6689883ad44bfa7cecc7b0cf0957c563e6
      • Opcode Fuzzy Hash: a25525432983313e2b03e1f02b0358e67586244f16374f506d16d19cb98aaabd
      • Instruction Fuzzy Hash: 08E1067225CBC4C2E7118B10F8917DBB3A5F780394F605226EB9947BA8DB7CC589CB05
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041E1E8 Relevance: 2.8, Strings: 2, Instructions: 297COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID:
      • String ID: |uI$|uI
      • API String ID: 0-2539331249
      • Opcode ID: 4a74d6ba880f4baad3fddda17758c6d3cdeba3b63305db97016a5eeb5187ccf0
      • Instruction ID: 5d3cc2d7525a1b14c1948cebe5183563213d0357e8a30d8a12567628934b752c
      • Opcode Fuzzy Hash: 4a74d6ba880f4baad3fddda17758c6d3cdeba3b63305db97016a5eeb5187ccf0
      • Instruction Fuzzy Hash: B9D10976208AC491D6229B6AA4053EAB761FBC9788F459312FFC427715EF3CD396C704
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00484F78 Relevance: 2.8, APIs: 2, Instructions: 277COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: memcpymemset
      • String ID:
      • API String ID: 1297977491-0
      • Opcode ID: 0796273fd509337b02a22acf0bc0a663c555b96bdaeb5f519eb9da7bd3260f57
      • Instruction ID: f4865dc44598e4b7b0c1bd817c2d3f75665b6bad09eea33450fff2615611eb24
      • Opcode Fuzzy Hash: 0796273fd509337b02a22acf0bc0a663c555b96bdaeb5f519eb9da7bd3260f57
      • Instruction Fuzzy Hash: 97A11F62715F8482CE05DF2A940416EAB61F78ABF4B444B26EFBA177D9EB7CC106C304
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00405648 Relevance: 2.8, APIs: 2, Instructions: 255COMMON
      Download Yara Rule
      APIs
      • memcpy.NTDLL(?,?,?,?,?,?,?,00000000,?,?,?,?,0040AB85), ref: 0040571F
      • memset.NTDLL(?,?,?,?,?,?,?,00000000,?,?,?,?,0040AB85), ref: 004057A1
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: memcpymemset
      • String ID:
      • API String ID: 1297977491-0
      • Opcode ID: b1cffbda3cc682d5c61455498491f7106ce7cc6e596ce974e40f1efd59b454ed
      • Instruction ID: 744bdec38eec7501d0a056eb8be0230a274f7bdb5b5a9b29879647fd88a032fa
      • Opcode Fuzzy Hash: b1cffbda3cc682d5c61455498491f7106ce7cc6e596ce974e40f1efd59b454ed
      • Instruction Fuzzy Hash: D691F363318FC482DE118B2AA41526AAB20F786BF4F545726DFBA277D5DB3CC146C704
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0043383B Relevance: 2.8, APIs: 2, Instructions: 251COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: memcpymemset
      • String ID:
      • API String ID: 1297977491-0
      • Opcode ID: 9144139289ad084ece2a2e4e15c6ba198a9db4af7ebe0fb3cad4ab72cd2bf1b6
      • Instruction ID: 04e146458e0c40501f6fe62b5f8e926ac3d9b255dfe4764ec8682bbf3bf96ae5
      • Opcode Fuzzy Hash: 9144139289ad084ece2a2e4e15c6ba198a9db4af7ebe0fb3cad4ab72cd2bf1b6
      • Instruction Fuzzy Hash: FE912663318B8081DE05CF2AA85526EA720F789BE4F54671AEFBA177D5DB7CC246C304
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0042CD25 Relevance: 2.6, Strings: 2, Instructions: 84COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID:
      • String ID: """"""""$DDDDDDDD
      • API String ID: 0-1621327129
      • Opcode ID: e82bda6f77797387f822c23a123a4d45afcc240e430fc15d0925737bf1b43ce4
      • Instruction ID: 7d545accb59bb8ef9028e34b5d35b128c64b04f00126e5b02df9422cb1df69b2
      • Opcode Fuzzy Hash: e82bda6f77797387f822c23a123a4d45afcc240e430fc15d0925737bf1b43ce4
      • Instruction Fuzzy Hash: 7A115283321175092A3D9EA33E375A3C84D2689FDCA0CF9376D895BBE4D4BED4419145
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0042F4F7 Relevance: 1.7, Strings: 1, Instructions: 458COMMON
      Download Yara Rule
      Strings
      • called `Option::unwrap()` on a `None` value, xrefs: 0042F50B
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID:
      • String ID: called `Option::unwrap()` on a `None` value
      • API String ID: 0-836832528
      • Opcode ID: 3b4aa7f99d166d688e99fa6bf71025cbedce4b4750aa03c505783a8b834dc229
      • Instruction ID: 8905fb6942577cf926717702aa1b863b84c5e6f59d5e28081b16a133ea3d40ff
      • Opcode Fuzzy Hash: 3b4aa7f99d166d688e99fa6bf71025cbedce4b4750aa03c505783a8b834dc229
      • Instruction Fuzzy Hash: 1A129366E29FC556F313573964032B6E318AFFB2C9F50E316FED071923EB6482829644
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041B160 Relevance: 1.6, APIs: 1, Instructions: 348COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: memcmp
      • String ID:
      • API String ID: 1475443563-0
      • Opcode ID: a9c13f44090e9e6954c15afa12610d26ec8e390c726443b1afb3d8ed8bf43764
      • Instruction ID: de4b80d2d3058092cbfcdd218bf8d46c832f1ee48023979450bee98350ead737
      • Opcode Fuzzy Hash: a9c13f44090e9e6954c15afa12610d26ec8e390c726443b1afb3d8ed8bf43764
      • Instruction Fuzzy Hash: 0DB1A9723296F882EB15CF229914FEB6612F315BD4F848612DE5E43B80DB3CD596C348
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0044C090 Relevance: 1.6, Strings: 1, Instructions: 345COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID:
      • String ID: combase.dll
      • API String ID: 0-3462769975
      • Opcode ID: 17c47dc7772a5b4ef613d6374551eb836a716ee6884e7006e4a4bac9be78403b
      • Instruction ID: aec7ecb54b2d372bf45fca51d9d8fc494405bcee77636e52a2f1c4af03153ccf
      • Opcode Fuzzy Hash: 17c47dc7772a5b4ef613d6374551eb836a716ee6884e7006e4a4bac9be78403b
      • Instruction Fuzzy Hash: ECB19A9290B7E448FBA28EB495D077B7A41A302765F5C9323CE7A133D1D6BC4D829348
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00423938 Relevance: 1.6, Strings: 1, Instructions: 341COMMON
      Download Yara Rule
      Strings
      • assertion failed: d.params.flush_remaining == 0, xrefs: 00423E89
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID:
      • String ID: assertion failed: d.params.flush_remaining == 0
      • API String ID: 0-1590815299
      • Opcode ID: a5c3c6e170c71936f0b8e1769233d6f9af4e14e6bf963f45648a81ec27f10da8
      • Instruction ID: 9ee4a2cf212c744f2f934138f3b6947dd4faed62d2361ea9c07c5273678cd6a4
      • Opcode Fuzzy Hash: a5c3c6e170c71936f0b8e1769233d6f9af4e14e6bf963f45648a81ec27f10da8
      • Instruction Fuzzy Hash: 5BD1CC733146A483DB25CF26F4407AAB761F789B84F84402AEBDA47751CBBCD285CB08
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004711E0 Relevance: 1.6, Strings: 1, Instructions: 336COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID:
      • String ID: combase.dll
      • API String ID: 0-3462769975
      • Opcode ID: 5043724ec6dc7f03036f92ebdf5373eeb92e17295d77b8d046798ad5fd60fd33
      • Instruction ID: e07bd22124b8dfe67defe62ac28f6fd9fa923babb317181663821ade7cde92e6
      • Opcode Fuzzy Hash: 5043724ec6dc7f03036f92ebdf5373eeb92e17295d77b8d046798ad5fd60fd33
      • Instruction Fuzzy Hash: B9B125A2628A5082DB298B29E5003BFA761F7957D4F14D623DE9F47BB1EB7CC541C308
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0042BAEE Relevance: 1.6, Strings: 1, Instructions: 304COMMON
      Download Yara Rule
      Strings
      • attempted to use a condition variable with more than one mutexparking_lot-0.12.1qFdlRSHPsunnjmE, xrefs: 0042BEF9
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: FrequencyPerformanceQuery
      • String ID: attempted to use a condition variable with more than one mutexparking_lot-0.12.1qFdlRSHPsunnjmE
      • API String ID: 4204123506-2751842173
      • Opcode ID: 6ba42684f77495271f1616431677e3f2eb87a90f045571af1c12e780512e1eec
      • Instruction ID: a1a28783271356bf9f3de577a6926835c465777c756402698192dc9c1620d9c6
      • Opcode Fuzzy Hash: 6ba42684f77495271f1616431677e3f2eb87a90f045571af1c12e780512e1eec
      • Instruction Fuzzy Hash: 94A1E122311B2082DA29DB27B4117AA6790FB85BD8FD5842BDF5E47B44DF3CC5528388
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0043E7A0 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
      Download Yara Rule
      Strings
      • called `Option::unwrap()` on a `None` value, xrefs: 0043E91B
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: memcmp
      • String ID: called `Option::unwrap()` on a `None` value
      • API String ID: 1475443563-836832528
      • Opcode ID: 2e58d57143b04be2ce3c76ffef4ada802adac15d07861d973fd09cec4f3b8796
      • Instruction ID: 173f504738b1bd8ca981ec7127ab88526dbd0ea4d2ed7c1900fc025c806411c8
      • Opcode Fuzzy Hash: 2e58d57143b04be2ce3c76ffef4ada802adac15d07861d973fd09cec4f3b8796
      • Instruction Fuzzy Hash: 67913562B1A29486EB35DB16B4007ABAB51F78D7D4F146122EE8B17BD4DB3CC582C708
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0048794D Relevance: 1.5, APIs: 1, Instructions: 262COMMON
      Download Yara Rule
      APIs
      • memset.NTDLL ref: 00487C3A
        • Part of subcall function 004289DB: memcpy.NTDLL(?,?,?,00000000,?,?,00000000,0042C9A2,?,?,?,?,00000002,?,?,?), ref: 00428A34
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: memcpymemset
      • String ID:
      • API String ID: 1297977491-0
      • Opcode ID: 75b2ed69c57ce6a5f69bb3bb863d769e93eb4fe23fbcdd3f2c8fb395f5c15513
      • Instruction ID: bb9e7c2b0a6cb943c96c697273cb3cacd995e725e55e5809d36f8240d52b69b2
      • Opcode Fuzzy Hash: 75b2ed69c57ce6a5f69bb3bb863d769e93eb4fe23fbcdd3f2c8fb395f5c15513
      • Instruction Fuzzy Hash: 3BB12322618BC082E725AB26E4503AFB7A1FB95788F24961ADFD907751EF3CD4D5C304
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0047D854 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: HeapProcess
      • String ID:
      • API String ID: 54951025-0
      • Opcode ID: f426774c392260af1b7f8fda7648da0c6b791c0766dbf910027d42f07e2f73e6
      • Instruction ID: 581b9c653aa62ac51f094554a4a7e6ec829c93198f32bef309c9d5905b5aacb4
      • Opcode Fuzzy Hash: f426774c392260af1b7f8fda7648da0c6b791c0766dbf910027d42f07e2f73e6
      • Instruction Fuzzy Hash: C6E0E5A2F1065182E728EBB6B4903BA61A09F587B0F50C73597BA5BBC0DA6D95D38304
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00422850 Relevance: .7, Instructions: 710COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1075ebe371b76b33bb26d3309c677d132020f4325056ec399139dfa53e378657
      • Instruction ID: 7f87f4f748df8a5f19086b20a75ac36d7a71c9b80ff66459d0622079e90b8427
      • Opcode Fuzzy Hash: 1075ebe371b76b33bb26d3309c677d132020f4325056ec399139dfa53e378657
      • Instruction Fuzzy Hash: 3122F6BBBB956003D71C8B1ADC5279A6193B7D4398B9DF13C9D4AC3F08E93DD6024A44
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00411ACC Relevance: .6, Instructions: 636COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 2b8bd889c62f85ac2c482896e9e4ea4ee0587881fadd2f4eb09831d29235ba27
      • Instruction ID: 07266571967091d3f2c42e052c2f097964bfd40f906ad868ffd32a915348593e
      • Opcode Fuzzy Hash: 2b8bd889c62f85ac2c482896e9e4ea4ee0587881fadd2f4eb09831d29235ba27
      • Instruction Fuzzy Hash: 2F22F6B3719B9441FA50DFA2BC60BE7A691F799BC0F44A026DE8D93B19CE3CC6419704
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00426473 Relevance: .5, Instructions: 530COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 12e3e90418b820e115bf51de40a188c82a7cddf6452ecb5809a1e89d9a6e40a5
      • Instruction ID: 6e5e8b17e610c1451c3a6f58ca0935ad187bebecc16bd62c178ba516432e7f0a
      • Opcode Fuzzy Hash: 12e3e90418b820e115bf51de40a188c82a7cddf6452ecb5809a1e89d9a6e40a5
      • Instruction Fuzzy Hash: F122CD763186A087D724CF19F4817AFB7A0F385794F90512BEE9A83B58DA3CD485CB09
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00413E20 Relevance: .3, Instructions: 268COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 4030dbe660ae13c20b22a860f7fb6e88b6815587588acdf08c7c5f55e59f70fb
      • Instruction ID: dff84c7358b44f52e3339f83a49e36b2912828378b631676df0a4c3da37fd90f
      • Opcode Fuzzy Hash: 4030dbe660ae13c20b22a860f7fb6e88b6815587588acdf08c7c5f55e59f70fb
      • Instruction Fuzzy Hash: AE819AA6F39BA101EA17873D19027E54600AFA3BE0F45D717EDB571BE0E72D96C38208
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041141C Relevance: .3, Instructions: 254COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: eca402bfd1018907c76a88ea70f2170d258e215d81cdd780eabfe2e7dc937523
      • Instruction ID: b734b0a1cc21e3ebfd206ca87b1ab130e9561f3f919b8e921f59e28f6b6fd6a3
      • Opcode Fuzzy Hash: eca402bfd1018907c76a88ea70f2170d258e215d81cdd780eabfe2e7dc937523
      • Instruction Fuzzy Hash: 628191A2714BA441FA10CFF1A920BD7A762F3897D8F14A026EF9D57F58DA3CC592C604
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0043F830 Relevance: .2, Instructions: 238COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 14f3b7cc4f17fe95880d4d35af53ea3ecb0c73a1e177befa7b76899b75539604
      • Instruction ID: a294a3cb9d2ba0b74b792eb9f23925c68b1d407b402e8900b309755f704c3a94
      • Opcode Fuzzy Hash: 14f3b7cc4f17fe95880d4d35af53ea3ecb0c73a1e177befa7b76899b75539604
      • Instruction Fuzzy Hash: 7B81CDE6F29BA101EA27833D69027F54A105FA37A4F45D727FC7570BE0E729D6835208
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00427712 Relevance: .2, Instructions: 216COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 29d8c390e470457bf7e02226dcc6fc421f15d5cf2b71e5b6b8d84b3a5c73121e
      • Instruction ID: c70582ee95a4a8dcf593a3b0f8d277d129299f29610cd3fac5ed20c450250c2c
      • Opcode Fuzzy Hash: 29d8c390e470457bf7e02226dcc6fc421f15d5cf2b71e5b6b8d84b3a5c73121e
      • Instruction Fuzzy Hash: 938146B27186A093E71A8B14F5297FB6361FB90355FD08123EB4343390EB3D9692D748
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0047BAA8 Relevance: .2, Instructions: 150COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: caf5531ac3a95f666b4b12f90854ffd933ed9107490e9deaf61f6adabbd6006a
      • Instruction ID: 676d2aea85f6447aa79c6c7ac2f4b269e503a6fc0bbe72e2e0beef09170d9d6c
      • Opcode Fuzzy Hash: caf5531ac3a95f666b4b12f90854ffd933ed9107490e9deaf61f6adabbd6006a
      • Instruction Fuzzy Hash: 98415D137196814AEB219629D5013EB6B40F3597ECF44D227FE8E0B789CB2CC591D385
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00437BA5 Relevance: .1, Instructions: 65COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 920d8386a230a8c84484f83d3fdfa02ba8a46dba23d60a80b8b69712ce0703e8
      • Instruction ID: 676467b68f19a8efded34dbaaab8217d1ae6747736a090a12cc106f48ae5c27b
      • Opcode Fuzzy Hash: 920d8386a230a8c84484f83d3fdfa02ba8a46dba23d60a80b8b69712ce0703e8
      • Instruction Fuzzy Hash: C51198E5B44A8043FE94E7AD77250AA9223EA153D4F90F431CF49A790EDE1DD1938284
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0042CE47 Relevance: .1, Instructions: 63COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: cb517ad18f2d65eca0f2234db22ed7aa1acbfa689edd96805bb303a2af21e944
      • Instruction ID: 44d0d03b7a397381b3b844002aaeb1e015a09327c153d625171a7593bccaed49
      • Opcode Fuzzy Hash: cb517ad18f2d65eca0f2234db22ed7aa1acbfa689edd96805bb303a2af21e944
      • Instruction Fuzzy Hash: E9213A99C2AFAA42E703A73D6803356E3005EFB94D550E747FDF039AA4F34265D23225
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00445932 Relevance: .0, Instructions: 42COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 510721d10e423bff97681af66037e79e14685f3b84e305f23f7642f0534ab758
      • Instruction ID: 559fe6c4071f72103e1213253803107ac0a374565760a17e229d32d8776c3bba
      • Opcode Fuzzy Hash: 510721d10e423bff97681af66037e79e14685f3b84e305f23f7642f0534ab758
      • Instruction Fuzzy Hash: A2F0B4E1B91AB443A1C09F757910C869620B544FC4B52F022DF4C77749C639CD43C244
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004B8A18 Relevance: .0, Instructions: 9COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 2887fb67f18c433f74088a7ae75e69382aeaa2a545cd63b3f8ff4c471fad8961
      • Instruction ID: d357293fa05583796a359cf260b41ee469a878c3ac3e079506a1453b1f80d6a9
      • Opcode Fuzzy Hash: 2887fb67f18c433f74088a7ae75e69382aeaa2a545cd63b3f8ff4c471fad8961
      • Instruction Fuzzy Hash: 9AC002CBB6EED4959A76A9540CBD1892A8694BAA2934D804F8F4017392AD4A2C089275
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0042C2EF Relevance: 28.3, APIs: 8, Strings: 8, Instructions: 255COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 2633 42c2ef-42c334 call 478f80 2636 42c336-42c354 call 4289db 2633->2636 2637 42c355-42c363 2633->2637 2639 42c371-42c392 2637->2639 2640 42c365-42c370 2637->2640 2643 42c398-42c3a7 GetModuleHandleA 2639->2643 2644 42c4a9-42c4bc 2639->2644 2645 42c3e1-42c3f0 GetModuleHandleA 2643->2645 2646 42c3a9-42c3be GetProcAddress 2643->2646 2648 42c3f6-42c40b GetProcAddress 2645->2648 2649 42c4bd-42c51e call 42c4d7 call 42c2e4 2645->2649 2646->2645 2647 42c3c0-42c3d5 GetProcAddress 2646->2647 2647->2645 2650 42c3d7-42c3dc 2647->2650 2648->2649 2651 42c411-42c426 GetProcAddress 2648->2651 2668 42c522-42c52c 2649->2668 2653 42c462-42c485 call 4289db 2650->2653 2651->2649 2654 42c42c-42c441 GetProcAddress 2651->2654 2653->2644 2663 42c487-42c48e 2653->2663 2654->2649 2657 42c443-42c45b 2654->2657 2657->2649 2664 42c45d 2657->2664 2666 42c490-42c494 CloseHandle 2663->2666 2667 42c499-42c4a6 call 410890 2663->2667 2664->2653 2666->2667 2667->2644 2670 42c592-42c59a call 42c682 2668->2670 2671 42c52e-42c535 2668->2671 2670->2671 2673 42c64a-42c670 call 42c37a 2670->2673 2671->2673 2674 42c53b-42c53e 2671->2674 2676 42c542-42c545 2674->2676 2680 42c547-42c54e 2676->2680 2681 42c564-42c56e 2676->2681 2682 42c550-42c558 2680->2682 2683 42c55a-42c562 call 42c6db 2680->2683 2684 42c570-42c577 2681->2684 2685 42c59c-42c5b5 call 42c807 2681->2685 2682->2676 2683->2682 2688 42c57b-42c57e 2684->2688 2692 42c5bf-42c5c2 2685->2692 2688->2668 2691 42c580-42c590 call 42baae 2688->2691 2691->2688 2695 42c621-42c62f 2692->2695 2696 42c5c4-42c5d7 2692->2696 2698 42c633-42c636 2695->2698 2697 42c5db-42c5de 2696->2697 2697->2692 2699 42c5e0-42c5f2 2697->2699 2698->2673 2700 42c638-42c648 call 42baae 2698->2700 2701 42c671-42c680 call 4139b0 2699->2701 2702 42c5f4-42c61f 2699->2702 2700->2698 2702->2697
      Strings
      • NtCreateKeyedEvent, xrefs: 0042C3F9
      • WakeByAddressSingle, xrefs: 0042C3C3
      • NtWaitForKeyedEvent, xrefs: 0042C42F
      • NtReleaseKeyedEvent, xrefs: 0042C414
      • api-ms-win-core-synch-l1-2-0.dll, xrefs: 0042C398
      • ntdll.dll, xrefs: 0042C3E1
      • WaitOnAddress, xrefs: 0042C3AC
      • parking_lot requires either NT Keyed Events (WinXP+) or WaitOnAddress/WakeByAddress (Win8+)parking_lot_core-0.9.9vBdcyMJtwpgTFAaDDgHsexSbELRdLNUlc, xrefs: 0042C4BD
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: AcquireLockShared
      • String ID: NtCreateKeyedEvent$NtReleaseKeyedEvent$NtWaitForKeyedEvent$WaitOnAddress$WakeByAddressSingle$api-ms-win-core-synch-l1-2-0.dll$ntdll.dll$parking_lot requires either NT Keyed Events (WinXP+) or WaitOnAddress/WakeByAddress (Win8+)parking_lot_core-0.9.9vBdcyMJtwpgTFAaDDgHsexSbELRdLNUlc
      • API String ID: 3339848070-2994817840
      • Opcode ID: 8b81545620d476c9c3cc121a478b0f3a4811194f4514c240673f70518528c69c
      • Instruction ID: 9e835cadab2cfb9817a6b41617763368529196ded35e139a40528c92a050e05c
      • Opcode Fuzzy Hash: 8b81545620d476c9c3cc121a478b0f3a4811194f4514c240673f70518528c69c
      • Instruction Fuzzy Hash: 4A911662701A6091EB15EB16F9803AE3360F798BD8F99852BDE1D47394DF3CC596C348
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0042C37A Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 92libraryloaderCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 2707 42c37a-42c392 2708 42c398-42c3a7 GetModuleHandleA 2707->2708 2709 42c4a9-42c4bc 2707->2709 2710 42c3e1-42c3f0 GetModuleHandleA 2708->2710 2711 42c3a9-42c3be GetProcAddress 2708->2711 2713 42c3f6-42c40b GetProcAddress 2710->2713 2714 42c4bd-42c51e call 42c4d7 call 42c2e4 2710->2714 2711->2710 2712 42c3c0-42c3d5 GetProcAddress 2711->2712 2712->2710 2715 42c3d7-42c3dc 2712->2715 2713->2714 2716 42c411-42c426 GetProcAddress 2713->2716 2733 42c522-42c52c 2714->2733 2718 42c462-42c485 call 4289db 2715->2718 2716->2714 2719 42c42c-42c441 GetProcAddress 2716->2719 2718->2709 2728 42c487-42c48e 2718->2728 2719->2714 2722 42c443-42c45b 2719->2722 2722->2714 2729 42c45d 2722->2729 2731 42c490-42c494 CloseHandle 2728->2731 2732 42c499-42c4a6 call 410890 2728->2732 2729->2718 2731->2732 2732->2709 2735 42c592-42c59a call 42c682 2733->2735 2736 42c52e-42c535 2733->2736 2735->2736 2738 42c64a-42c670 call 42c37a 2735->2738 2736->2738 2739 42c53b-42c53e 2736->2739 2741 42c542-42c545 2739->2741 2745 42c547-42c54e 2741->2745 2746 42c564-42c56e 2741->2746 2747 42c550-42c558 2745->2747 2748 42c55a-42c562 call 42c6db 2745->2748 2749 42c570-42c577 2746->2749 2750 42c59c-42c5b5 call 42c807 2746->2750 2747->2741 2748->2747 2753 42c57b-42c57e 2749->2753 2757 42c5bf-42c5c2 2750->2757 2753->2733 2756 42c580-42c590 call 42baae 2753->2756 2756->2753 2760 42c621-42c62f 2757->2760 2761 42c5c4-42c5d7 2757->2761 2763 42c633-42c636 2760->2763 2762 42c5db-42c5de 2761->2762 2762->2757 2764 42c5e0-42c5f2 2762->2764 2763->2738 2765 42c638-42c648 call 42baae 2763->2765 2766 42c671-42c680 call 4139b0 2764->2766 2767 42c5f4-42c61f 2764->2767 2765->2763 2767->2762
      APIs
      • GetModuleHandleA.KERNEL32(00000002,00000000,?,00000000,?,0042C652,?,00000000,?,0042CC1B), ref: 0042C39F
      • GetProcAddress.KERNEL32(00000002,00000001,?,?,?,00000000), ref: 0042C3B6
      • GetProcAddress.KERNEL32(00000002,00000001,?,?,?,00000000), ref: 0042C3CD
      • GetModuleHandleA.KERNEL32(00000002,00000000,?,00000000,?,0042C652,?,00000000,?,0042CC1B), ref: 0042C3E8
      • GetProcAddress.KERNEL32(00000002,00000001,?,?,?,00000000), ref: 0042C403
      • GetProcAddress.KERNEL32(00000002,00000001,?,?,?,00000000), ref: 0042C41E
      • GetProcAddress.KERNEL32(00000002,00000001,?,?,?,00000000), ref: 0042C439
      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0042C2ED), ref: 0042C494
      Strings
      • NtCreateKeyedEvent, xrefs: 0042C3F9
      • WakeByAddressSingle, xrefs: 0042C3C3
      • NtWaitForKeyedEvent, xrefs: 0042C42F
      • NtReleaseKeyedEvent, xrefs: 0042C414
      • api-ms-win-core-synch-l1-2-0.dll, xrefs: 0042C398
      • ntdll.dll, xrefs: 0042C3E1
      • WaitOnAddress, xrefs: 0042C3AC
      • parking_lot requires either NT Keyed Events (WinXP+) or WaitOnAddress/WakeByAddress (Win8+)parking_lot_core-0.9.9vBdcyMJtwpgTFAaDDgHsexSbELRdLNUlc, xrefs: 0042C4BD
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: AddressProc$Handle$Module$Close
      • String ID: NtCreateKeyedEvent$NtReleaseKeyedEvent$NtWaitForKeyedEvent$WaitOnAddress$WakeByAddressSingle$api-ms-win-core-synch-l1-2-0.dll$ntdll.dll$parking_lot requires either NT Keyed Events (WinXP+) or WaitOnAddress/WakeByAddress (Win8+)parking_lot_core-0.9.9vBdcyMJtwpgTFAaDDgHsexSbELRdLNUlc
      • API String ID: 3875313662-2994817840
      • Opcode ID: 33280ba422780f1ef0248bb5d7f2dbba16320121734e77568f69e465c8d6a8ad
      • Instruction ID: d582f6c185047462d2ac521702e50daba40bca3450a6fa3a4a3c46fdeb18d6af
      • Opcode Fuzzy Hash: 33280ba422780f1ef0248bb5d7f2dbba16320121734e77568f69e465c8d6a8ad
      • Instruction Fuzzy Hash: 7D31416130262090EE15FB12F9A177F6791AB98BD4F88883B9E1D87759EF3CC545C348
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00448A40 Relevance: 24.8, APIs: 6, Strings: 8, Instructions: 265synchronizationCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 2943 448a40-448a49 2944 448a76-448a7c 2943->2944 2945 448a4b-448a58 2943->2945 2946 448a7d-448ab4 call 414290 2945->2946 2947 448a5a-448a62 2945->2947 2951 448ab6-448ac6 GetStdHandle 2946->2951 2952 448ae0-448ae6 2946->2952 2947->2944 2948 448a64-448a72 memcpy 2947->2948 2948->2944 2953 448ae8 2951->2953 2954 448ac8-448acf 2951->2954 2955 448afd-448b0b 2952->2955 2958 448af2-448af6 2953->2958 2956 448ad1-448ade GetLastError 2954->2956 2957 448b0c-448b23 call 488eec 2954->2957 2956->2958 2961 448b25-448b35 2957->2961 2962 448b96-448bde call 488fbc 2957->2962 2958->2955 2963 448c0c-448c30 call 4188f0 2961->2963 2964 448b3b-448b3d 2961->2964 2972 448be0-448bf6 WaitForSingleObject 2962->2972 2973 448bfc-448bfe 2962->2973 2982 448c36-448c3e 2963->2982 2983 448cd0-448cd5 2963->2983 2966 448d82-448dc5 call 4138f0 2964->2966 2967 448b43-448b4e 2964->2967 2978 448dc7-448e2c call 447e90 call 447340 2966->2978 2970 448b54-448b7c 2967->2970 2971 448c6d-448c79 2967->2971 2976 448b82-448b91 2970->2976 2977 448c9e-448ca4 2970->2977 2971->2958 2972->2973 2972->2978 2979 448c00-448c07 2973->2979 2980 448c7e-448c8d RtlNtStatusToDosError 2973->2980 2976->2955 2988 448e2e-448e3d 2977->2988 2989 448caa-448cc2 call 4188f0 2977->2989 2978->2988 2987 448c92-448c99 2979->2987 2980->2987 2984 448c44-448c47 2982->2984 2985 448cea-448cfc 2982->2985 2990 448cda-448ce5 call 448eb0 2983->2990 2992 448c4d-448c6b call 4188f0 call 449110 2984->2992 2993 448e3f-448e49 2984->2993 2995 448cfe-448d01 2985->2995 2996 448d6a 2985->2996 2987->2955 2997 448e4c-448e54 call 414290 2988->2997 3010 448cc4-448ccb 2989->3010 3011 448d0d-448d1f 2989->3011 2990->2955 2992->2990 2993->2997 2995->2996 3002 448d03-448d0b 2995->3002 3004 448d71-448d7d 2996->3004 3014 448e56-448e6e 2997->3014 3008 448d58-448d65 3002->3008 3004->2955 3008->2955 3010->2958 3013 448d25-448d43 call 448eb0 3011->3013 3011->3014 3013->3004 3020 448d45-448d52 3013->3020 3017 448e85-448eab call 448340 CloseHandle call 4894a0 3014->3017 3020->3008 3022 448e70-448e80 3020->3022 3022->3017
      APIs
      • memcpy.NTDLL ref: 00448A6D
      • GetStdHandle.KERNEL32(?,?,?,?,?,00000669,00000000,?,00000651,00000661,004488EA), ref: 00448ABE
      • GetLastError.KERNEL32(?,?,?,?,?,00000669,00000000,?,00000651,00000661,004488EA), ref: 00448AD1
      • WaitForSingleObject.KERNEL32 ref: 00448BE8
      • RtlNtStatusToDosError.NTDLL ref: 00448C80
      • CloseHandle.KERNEL32 ref: 00448E9C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: ErrorHandle$CloseLastObjectSingleStatusWaitmemcpy
      • String ID: QJ$ QJ$ QJ$ QJ$ QJ$DRJ$combase.dll$RJ
      • API String ID: 2941158195-1545324714
      • Opcode ID: b13a209da27f0e33313615338ce8ab1f7dd9e77d647d5be16ee395b462c1ff4c
      • Instruction ID: 06a231cec023785752a07ef018d67b4d34acbd3983d8b7afc4136fb87ba8f7c8
      • Opcode Fuzzy Hash: b13a209da27f0e33313615338ce8ab1f7dd9e77d647d5be16ee395b462c1ff4c
      • Instruction Fuzzy Hash: 00B1F372209BC085EB10DB25F5803AEB7A1E396794F54812BEBC9477A5EFBCC185C709
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0048FA40 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 99libraryloaderCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 3025 48fa40-48fa6e LoadLibraryA 3026 48fb6b-48fb6e 3025->3026 3027 48fa74-48fa8d GetProcAddress 3025->3027 3028 48fb8a-48fb9d 3026->3028 3027->3026 3029 48fa93-48faa5 GetProcAddress 3027->3029 3029->3026 3030 48faab-48fabd GetProcAddress 3029->3030 3030->3026 3031 48fac3-48fad5 GetProcAddress 3030->3031 3031->3026 3032 48fadb-48faed GetProcAddress 3031->3032 3032->3026 3033 48faef-48fb0c 3032->3033 3033->3026 3035 48fb0e-48fb36 3033->3035 3037 48fb38-48fb5c 3035->3037 3038 48fb5e-48fb66 3035->3038 3037->3038 3040 48fb70-48fb84 CloseHandle FreeLibrary 3037->3040 3038->3026 3040->3028
      APIs
      • LoadLibraryA.KERNEL32 ref: 0048FA62
      • GetProcAddress.KERNEL32(00000000,00000000,?,?,0048F9C7), ref: 0048FA85
      • GetProcAddress.KERNEL32(?,?,0048F9C7), ref: 0048FA9D
      • GetProcAddress.KERNEL32(?,?,0048F9C7), ref: 0048FAB5
      • GetProcAddress.KERNEL32(?,?,0048F9C7), ref: 0048FACD
      • GetProcAddress.KERNEL32(?,?,0048F9C7), ref: 0048FAE5
      • CloseHandle.KERNEL32 ref: 0048FB7B
      • FreeLibrary.KERNEL32 ref: 0048FB84
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: AddressProc$Library$CloseFreeHandleLoad
      • String ID: CreateThread$VirtualAlloc$VirtualFree$VirtualProtect$WaitForSingleObject$kernel32.dll
      • API String ID: 1915872250-1073278962
      • Opcode ID: f7a2e09320502cc6764114e5cdc32444337b3ff7ef38ec52d5eab04326b7639b
      • Instruction ID: 3bf93094e69b4e5fe9ca0cb198c9a2c0f0172e4bb2011ac94cd2d27fe874747a
      • Opcode Fuzzy Hash: f7a2e09320502cc6764114e5cdc32444337b3ff7ef38ec52d5eab04326b7639b
      • Instruction Fuzzy Hash: 5B316151702B4144EE26EB26FC6576A7691BF8ABD4F8888369E0D07794EE3CE509C30C
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00429293 Relevance: 21.5, APIs: 1, Strings: 11, Instructions: 474COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 3304 429293-4292c2 3305 4292c8-429338 call 428ab5 call 429a3e call 428c37 3304->3305 3306 4299ff-429a12 3304->3306 3316 42933b-42933e 3305->3316 3308 429a37-429a3c call 414630 3306->3308 3317 429340-429349 3316->3317 3318 42934b-429357 3316->3318 3319 42935d-429386 call 428ab5 call 428c90 3317->3319 3318->3319 3320 429505-429511 3318->3320 3334 4293a2-4293ba 3319->3334 3335 429388-4293a0 call 428b4d 3319->3335 3321 429519-42951c 3320->3321 3323 429547-42954a 3321->3323 3324 42951e-42952c call 428bd4 3321->3324 3328 42954d 3323->3328 3336 429532-42953f call 428bfd 3324->3336 3337 42993e-429945 3324->3337 3329 42954f-429552 3328->3329 3332 4295d8-4295db 3329->3332 3333 429558-429566 call 428bd4 3329->3333 3344 42964f-4296b8 call 429083 call 428b4d call 428f5f 3332->3344 3345 4295dd-4295e1 3332->3345 3356 42992e-42993c 3333->3356 3357 42956c-429576 call 428bfd 3333->3357 3341 4293f1-429427 3334->3341 3342 4293bc-4293bf 3334->3342 3335->3316 3336->3321 3362 429541-429545 3336->3362 3340 42994c-429956 call 4192e0 3337->3340 3346 429958-42995a 3340->3346 3341->3346 3347 42942d-42947d call 488fd4 3341->3347 3342->3335 3351 4293c1-4293c4 3342->3351 3395 4298a8-4298cd call 429acd call 429aed 3344->3395 3396 4296be-429703 call 428ab5 call 429a3e 3344->3396 3345->3344 3354 4295e3-429605 call 428c37 3345->3354 3360 42995c-4299e8 call 4138f0 3346->3360 3372 42947f-429484 3347->3372 3373 4294bc-4294c3 3347->3373 3359 4293ca-4293d8 3351->3359 3351->3360 3370 429632-429644 call 4282cc 3354->3370 3371 429607-429618 3354->3371 3356->3340 3381 429578-42957b 3357->3381 3382 42957d-429584 3357->3382 3359->3335 3366 4293da-4293e2 call 4283b6 3359->3366 3385 4299ea-4299fd 3360->3385 3362->3328 3392 42961a-42962d call 429acd 3366->3392 3393 4293e8-4293ef call 428aab 3366->3393 3378 429647-42964a call 4282cc 3370->3378 3371->3378 3372->3373 3379 429486-4294a6 RtlNtStatusToDosError call 429acd 3372->3379 3383 4294c6 3373->3383 3378->3344 3379->3385 3407 4294ac-4294b2 3379->3407 3381->3329 3390 429a14-429a22 3382->3390 3391 42958a-42958d 3382->3391 3401 4294d0-4294ed call 4282f3 3383->3401 3385->3308 3403 429a32 3390->3403 3399 429593-4295d3 3391->3399 3400 429a24-429a2b 3391->3400 3412 4298f1-429905 call 428b4d * 2 3392->3412 3393->3335 3429 42990a-429913 3395->3429 3430 4298cf-4298d7 3395->3430 3428 429706-429709 3396->3428 3399->3329 3400->3403 3415 4294f3-429503 call 428342 call 4300c0 3401->3415 3416 4298e4-4298ee call 429acd 3401->3416 3403->3308 3407->3401 3413 4294b4-4294b7 call 4300c0 3407->3413 3412->3429 3413->3373 3415->3383 3416->3412 3434 429870-42989c call 429083 call 428b4d 3428->3434 3435 42970f-429716 3428->3435 3432 42991a-42992d 3429->3432 3436 4298da-4298e2 call 4300c0 3430->3436 3434->3432 3454 42989e-4298a6 3434->3454 3438 429790-4297a7 call 429a86 3435->3438 3439 429718-42971b 3435->3439 3436->3432 3450 429863-42986b 3438->3450 3443 429721-429759 call 428ab5 call 428c90 3439->3443 3444 4297ac-4297c5 3439->3444 3457 42984b-42985e call 428b4d call 4282f3 3443->3457 3458 42975f-42976b 3443->3458 3444->3450 3450->3428 3454->3436 3457->3450 3460 4297d0-4297d7 3458->3460 3461 42976d-42976f 3458->3461 3463 4297f4-4297f9 3460->3463 3464 4297d9-4297f1 call 429a86 3460->3464 3465 429771-429776 3461->3465 3466 4297ca 3461->3466 3463->3457 3467 4297fb-429800 3463->3467 3464->3463 3465->3460 3468 429778-429780 3465->3468 3466->3460 3467->3346 3471 429806-429811 3467->3471 3468->3460 3472 429782-42978e call 428342 3468->3472 3474 429813-429821 call 428d13 3471->3474 3475 429825-429847 3471->3475 3472->3463 3474->3475 3475->3457
      APIs
        • Part of subcall function 00428AB5: AcquireSRWLockExclusive.KERNEL32(?,?,?,?,004292E9), ref: 00428AC4
      • RtlNtStatusToDosError.NTDLL ref: 0042948D
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: AcquireErrorExclusiveLockStatus
      • String ID: @I$Out of bounds access$assertion failed: !self.is_polling.swap(true, Ordering::AcqRel)$called `Option::unwrap()` on a `None` value$I$I$I$I$I$I$I
      • API String ID: 3225304674-2479530546
      • Opcode ID: 2c7621c8d5fd4b92a4459ccb0452da9b01c1d4467e9b62637855c38513585a93
      • Instruction ID: a792588a8a8c9363f5c171662967e8fced93ecb57ee21322706fd124a7922928
      • Opcode Fuzzy Hash: 2c7621c8d5fd4b92a4459ccb0452da9b01c1d4467e9b62637855c38513585a93
      • Instruction Fuzzy Hash: 211289B2305BA482DB20DF16F4543AE67A4F789B94F94412BDA8D47B59DF3CC886C708
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0044D030 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 154COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 3480 44d030-44d03c call 4493a0 3483 44d03e-44d049 3480->3483 3484 44d04a-44d0f6 call 418f80 call 4659b0 3480->3484 3489 44d118-44d13e call 488eac 3484->3489 3490 44d0f8-44d113 call 4472a0 3484->3490 3496 44d1d4-44d222 GetLastError call 4472a0 3489->3496 3497 44d144-44d14c 3489->3497 3495 44d2e9-44d301 3490->3495 3502 44d229 3496->3502 3499 44d14e-44d177 call 488ea4 3497->3499 3500 44d179-44d186 3497->3500 3499->3496 3499->3500 3501 44d18c-44d1c7 GetCurrentProcess DuplicateHandle 3500->3501 3500->3502 3505 44d2ac-44d2da GetLastError call 4472a0 3501->3505 3506 44d1cd-44d1d2 3501->3506 3507 44d22b-44d252 CreateFileMappingA 3502->3507 3513 44d2e1-44d2e4 CloseHandle 3505->3513 3506->3507 3509 44d254-44d284 MapViewOfFile CloseHandle 3507->3509 3510 44d29b-44d2aa CloseHandle 3507->3510 3509->3510 3512 44d286-44d299 3509->3512 3510->3513 3512->3513 3513->3495
      Strings
      • combase.dll, xrefs: 0044D084
      • H;J, xrefs: 0044D04A
      • cannot access a Thread Local Storage value during or after destructionNtHgFDtekXONzqhlFlQwLwBSoWxHXrIjNcystVojTfNFroAqTbGPwlPIbUHSugSQZpuLwvTbziGpjRB, xrefs: 0044D056
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: Value
      • String ID: H;J$cannot access a Thread Local Storage value during or after destructionNtHgFDtekXONzqhlFlQwLwBSoWxHXrIjNcystVojTfNFroAqTbGPwlPIbUHSugSQZpuLwvTbziGpjRB$combase.dll
      • API String ID: 3702945584-3784673160
      • Opcode ID: a3ac56d5277a00f3f7a9a3f051b11946422335dc4ce1b8ba44db95049e876e13
      • Instruction ID: 1fbc220b432b34d809cba8d77fc3c425c48552b3a4bb85378cbbfe4003294951
      • Opcode Fuzzy Hash: a3ac56d5277a00f3f7a9a3f051b11946422335dc4ce1b8ba44db95049e876e13
      • Instruction Fuzzy Hash: A6516D32608B8081E771AB56F4463ABB3A0FB85388F54451AEFC947B95DF7DC186CB48
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00448EB0 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 141COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 3515 448eb0-448ed4 call 488c50 3518 448ed6-448ee3 3515->3518 3519 448f09-448f2f MultiByteToWideChar 3515->3519 3518->3519 3520 448ee5-448ef2 3518->3520 3521 448f35-448f3d 3519->3521 3522 4490a8-4490e2 call 4138f0 3519->3522 3520->3519 3523 448ef4-448f02 3520->3523 3524 4490e4-4490f8 call 414290 3521->3524 3525 448f43-448f6b WriteConsoleW 3521->3525 3522->3524 3523->3519 3537 4490fa-44910e call 414290 3524->3537 3527 448f71-448f78 3525->3527 3528 44905e-449076 GetLastError 3525->3528 3532 448f7e 3527->3532 3533 44907a-44907e 3527->3533 3531 449085-449093 3528->3531 3535 449094-4490a6 call 4139b0 3532->3535 3536 448f84-448f96 3532->3536 3533->3531 3535->3522 3540 448ff0-448ff3 3536->3540 3541 448f98-448fc9 WriteConsoleW 3536->3541 3540->3537 3545 448ff9-448ffc 3540->3545 3541->3540 3544 448fcb-448feb GetLastError call 4472a0 3541->3544 3544->3540 3547 448ffe-449005 3545->3547 3548 449078 3545->3548 3549 44901c-44902c 3547->3549 3548->3533 3550 449010-44901a 3549->3550 3551 44902e-44903e 3549->3551 3550->3533 3550->3549 3551->3550 3552 449040-44905c 3551->3552 3552->3550
      APIs
      • MultiByteToWideChar.KERNEL32 ref: 00448F28
      • WriteConsoleW.KERNEL32 ref: 00448F64
      • WriteConsoleW.KERNEL32(h6J,00000000,00000000,00000651,00000000), ref: 00448FC2
      • GetLastError.KERNEL32(h6J,00000000,00000000,00000651,00000000), ref: 00448FCB
      • GetLastError.KERNEL32(h6J,00000000,00000000,00000651,00000000), ref: 0044905E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: ConsoleErrorLastWrite$ByteCharMultiWide
      • String ID: QJ$ QJ$ QJ$ QJ$combase.dll$h6J
      • API String ID: 1956605914-253534728
      • Opcode ID: 2534b2df07a7f32f76d581879dce2811f69ab4068e9717982106ad2927d1de77
      • Instruction ID: f5705eee17f5e0a29a936c43798a79ff62a9c0cc3020369615153687cab4f46b
      • Opcode Fuzzy Hash: 2534b2df07a7f32f76d581879dce2811f69ab4068e9717982106ad2927d1de77
      • Instruction Fuzzy Hash: F951E47220475182FB209B11F8413ABA2A1F785394F64452BEBC947BA9EFBDC585D708
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00478F80 Relevance: 17.9, APIs: 5, Strings: 5, Instructions: 353COMMON
      Download Yara Rule
      APIs
      • ReleaseSRWLockShared.KERNEL32 ref: 0047964B
        • Part of subcall function 004493A0: TlsGetValue.KERNEL32 ref: 004493B5
      • AcquireSRWLockShared.KERNEL32 ref: 00479035
      • ReleaseSRWLockShared.KERNEL32 ref: 004791C0
        • Part of subcall function 004493A0: TlsGetValue.KERNEL32 ref: 004493E0
        • Part of subcall function 004493A0: TlsSetValue.KERNEL32(?,?,?,00478FC1), ref: 00449436
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: LockSharedValue$Release$Acquire
      • String ID: =J$Box<dyn Any><unnamed>$H;J$cannot access a Thread Local Storage value during or after destructionNtHgFDtekXONzqhlFlQwLwBSoWxHXrIjNcystVojTfNFroAqTbGPwlPIbUHSugSQZpuLwvTbziGpjRB$combase.dll
      • API String ID: 2478294547-174063075
      • Opcode ID: 5ceefa75caf545e7aab8b13c8c637dcc4ecd0043651bba3110ea6ad22e390818
      • Instruction ID: d389d45bb3ac3cf536ee4734554b013d36cbd48259a556b86e72a77259940f93
      • Opcode Fuzzy Hash: 5ceefa75caf545e7aab8b13c8c637dcc4ecd0043651bba3110ea6ad22e390818
      • Instruction Fuzzy Hash: DFF1B072209B8095EB21DB11E4503EEB7A4F796784F94811BEB8D03B65EF3CC845C74A
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0048EA00 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 283memoryCOMMON
      Download Yara Rule
      APIs
      • VirtualProtect.KERNEL32(004B7210,00007FFE2167ADA0,?,?,?,00000001,0040124C), ref: 0048EB2D
      Strings
      • Unknown pseudo relocation protocol version %d., xrefs: 0048ECAE
      • Unknown pseudo relocation bit size %d., xrefs: 0048EC9A
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: ProtectVirtual
      • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
      • API String ID: 544645111-395989641
      • Opcode ID: 96c9089a14bb66e4021cb1132f525d51e742bf655e89da867390b65311ef7ed2
      • Instruction ID: e20c51f4b70e3fb97da2573c46fedd7d42da29c36f175e13867b56e916a5de29
      • Opcode Fuzzy Hash: 96c9089a14bb66e4021cb1132f525d51e742bf655e89da867390b65311ef7ed2
      • Instruction Fuzzy Hash: 8E918971B1024286FF28BB6BD84035E2392B7857A8F648D2BCF1947795DA3DD886C30D
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004813B8 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 82synchronizationCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: CloseHandle$ErrorLastObjectSingleWait
      • String ID: (TJ$XTJ$`hJ$`hJ$called `Option::unwrap()` on a `None` value
      • API String ID: 1454876536-986961748
      • Opcode ID: 1c57a604834006be7913aed3006da0b5a967bb00c973e9a90c91c75b8f435624
      • Instruction ID: 7a556dbd096d04418a05a7251fc9563e98a8b689e92685c6029f1bbe5d0d7d42
      • Opcode Fuzzy Hash: 1c57a604834006be7913aed3006da0b5a967bb00c973e9a90c91c75b8f435624
      • Instruction Fuzzy Hash: 7C318BB2301A4481DE14EF16E4513AD33A4F789BA8F94861BEA6D477A4DF3CC58BC345
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00473E50 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 192COMMON
      Download Yara Rule
      APIs
      Strings
      • internal error: entered unreachable codecalled `Option::unwrap()` on a `None` value, xrefs: 004740D4
      • assertion failed: old_right_len + count <= CAPACITY, xrefs: 004741A2
      • assertion failed: old_left_len >= count, xrefs: 004741BC
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: memcpy
      • String ID: assertion failed: old_left_len >= count$assertion failed: old_right_len + count <= CAPACITY$internal error: entered unreachable codecalled `Option::unwrap()` on a `None` value
      • API String ID: 3510742995-635693322
      • Opcode ID: 1219f0722ca8f7a45bfefbc6510c46b524d3b550021135c0ebb18115ed4a138c
      • Instruction ID: 2368c6545e656cde80952b0d2fdbf77e35caed5c97838106c4a019067d41ac51
      • Opcode Fuzzy Hash: 1219f0722ca8f7a45bfefbc6510c46b524d3b550021135c0ebb18115ed4a138c
      • Instruction Fuzzy Hash: F691F262605BC482DA569F18F8013EAB364FBA9798F549317DF8D13721EF39D296C300
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0044B300 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 344COMMON
      Download Yara Rule
      APIs
      Strings
      • internal error: entered unreachable codecalled `Option::unwrap()` on a `None` value, xrefs: 0044B48A
      • <unknown>, xrefs: 0044B567
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: ErrorLast$CurrentDirectory
      • String ID: <unknown>$internal error: entered unreachable codecalled `Option::unwrap()` on a `None` value
      • API String ID: 3993060814-3859713071
      • Opcode ID: 54a9db52770cc810f18219c2841c20e6882d46db6fc28afea9062cc1178399f5
      • Instruction ID: a6094730c37471181426901b21496af45b9547dbe90b25cc318b65b60d1f9b4a
      • Opcode Fuzzy Hash: 54a9db52770cc810f18219c2841c20e6882d46db6fc28afea9062cc1178399f5
      • Instruction Fuzzy Hash: 8EC12662718B8482FA10DB22E48136FA750F785BD4F44451BEE8E53B5ACF7CC586C789
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00472D10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 161threadCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: ErrorLast$GuaranteeStackThread
      • String ID: `XJ$combase.dll
      • API String ID: 3169470061-3099105406
      • Opcode ID: 05ac9ebbc23a6e67257447a06e142375bdb8c2ffce48dc5229e07a39d80bc033
      • Instruction ID: bf115d3623eb21a7871c87dea6f33891c2853caf970c1f7041d13eb390486463
      • Opcode Fuzzy Hash: 05ac9ebbc23a6e67257447a06e142375bdb8c2ffce48dc5229e07a39d80bc033
      • Instruction Fuzzy Hash: A2518E62304A4082DB25BB23E9553AE6361E789B98F84C42AEF8D47755DF7CC8C6C748
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004741F0 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 231COMMON
      Download Yara Rule
      APIs
      Strings
      • assertion failed: match track_edge_idx { LeftOrRight::Left(idx) => idx <= old_left_len, LeftOrRight::Right(idx) => idx <= right_len,}, xrefs: 0047461A
      • assertion failed: new_left_len <= CAPACITY, xrefs: 00474634
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: memcpy
      • String ID: assertion failed: match track_edge_idx { LeftOrRight::Left(idx) => idx <= old_left_len, LeftOrRight::Right(idx) => idx <= right_len,}$assertion failed: new_left_len <= CAPACITY
      • API String ID: 3510742995-2079967719
      • Opcode ID: 9db3ff5ca7a829b6958b241964cdd99ee108a7b9daaf2ee6820e42fecfdeb227
      • Instruction ID: 75a4c7753a734ba6d4f2d64a18c62a4689f4184cc1a4c83f205b56e2c070b718
      • Opcode Fuzzy Hash: 9db3ff5ca7a829b6958b241964cdd99ee108a7b9daaf2ee6820e42fecfdeb227
      • Instruction Fuzzy Hash: 35B18B76614B8482CB05CF19E4443EA77A8FB99B94F499326EF8D13764EF38C295C300
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00474650 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 228COMMON
      Download Yara Rule
      APIs
      Strings
      • internal error: entered unreachable codecalled `Option::unwrap()` on a `None` value, xrefs: 004749AA
      • assertion failed: old_left_len + count <= CAPACITY, xrefs: 00474A82
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: memcpy
      • String ID: assertion failed: old_left_len + count <= CAPACITY$internal error: entered unreachable codecalled `Option::unwrap()` on a `None` value
      • API String ID: 3510742995-1776158219
      • Opcode ID: ff221e03208e67bc30b1fb8e60d0e92325c49556f774c30338aa84a47fce59c2
      • Instruction ID: 168a9c954a4ad45195da9e3b4a3d9e52c62e3cbfda78428a7f70bb2e1eb98027
      • Opcode Fuzzy Hash: ff221e03208e67bc30b1fb8e60d0e92325c49556f774c30338aa84a47fce59c2
      • Instruction Fuzzy Hash: 6DB1F2B3A04B8482DA568B18F4013FA7368FB99B98F159316DF8D13361EF39D296C304
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00474AD0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 207COMMON
      Download Yara Rule
      APIs
      Strings
      • assertion failed: new_left_len <= CAPACITY, xrefs: 00474E9D
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: memcpy
      • String ID: assertion failed: new_left_len <= CAPACITY
      • API String ID: 3510742995-3316943531
      • Opcode ID: 13a6a664e1a003f0802a095bcf076f02b1ddb778090c6596b334c7772b9b7617
      • Instruction ID: 2fb8c2c2842c9e4521218fb3c34accac81c538cfa1b52d501b2ff87a12a7d099
      • Opcode Fuzzy Hash: 13a6a664e1a003f0802a095bcf076f02b1ddb778090c6596b334c7772b9b7617
      • Instruction Fuzzy Hash: 76A1C132614BC882CA16CF09E4413EA77A8FB99B94F499326DF5817360EF39D2A5C304
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004662D0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 175COMMON
      Download Yara Rule
      APIs
      Strings
      • internal error: entered unreachable codecalled `Option::unwrap()` on a `None` value, xrefs: 00466512
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: ErrorLast$EnvironmentVariable
      • String ID: internal error: entered unreachable codecalled `Option::unwrap()` on a `None` value
      • API String ID: 2691138088-2307832163
      • Opcode ID: ab99b5570afcb7b8256acfe5b290359e358cfba651596f7d0cf3c7d3d0239a33
      • Instruction ID: e1cf3a79392ea98d5efb469dee9a97e07b3a200d367e3cf270afb68fc3a93cda
      • Opcode Fuzzy Hash: ab99b5570afcb7b8256acfe5b290359e358cfba651596f7d0cf3c7d3d0239a33
      • Instruction Fuzzy Hash: 37512912318BC091EA20AB26F5453ABA750F7D6798F54411BEECA03B55EF7CC4C6C74A
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0044A2D0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 153COMMON
      Download Yara Rule
      APIs
      • QueryPerformanceFrequency.KERNEL32 ref: 0044A2FA
      • GetLastError.KERNEL32 ref: 0044A47C
      Strings
      • combase.dll, xrefs: 0044A455
      • called `Result::unwrap()` on an `Err` value, xrefs: 0044A49A
      • overflow when subtracting durations, xrefs: 0044A4B9
      • attempt to divide by zero, xrefs: 0044A426
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: ErrorFrequencyLastPerformanceQuery
      • String ID: attempt to divide by zero$called `Result::unwrap()` on an `Err` value$combase.dll$overflow when subtracting durations
      • API String ID: 3362413890-3445815809
      • Opcode ID: d1126a1ab2869e882d8dafd99f86e2eef64959862409994caa5d59f33758ae7e
      • Instruction ID: 918db2be05d9fecead57a44184567a8696f9c9253550e959ebac91c520ffa577
      • Opcode Fuzzy Hash: d1126a1ab2869e882d8dafd99f86e2eef64959862409994caa5d59f33758ae7e
      • Instruction Fuzzy Hash: D75135663A4A4082EF18DF24D9443AE63A1E7947C4F549127E90F43B64EB3CCA56C30A
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0048E830 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 148memoryCOMMON
      Download Yara Rule
      APIs
      Strings
      • VirtualQuery failed for %d bytes at address %p, xrefs: 0048E9D7
      • VirtualProtect failed with code 0x%x, xrefs: 0048E996
      • Address %p has no image-section, xrefs: 0048E9ED
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: Virtual$ErrorLastProtectQuery
      • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
      • API String ID: 637304234-2123141913
      • Opcode ID: f692a8806b1b26d46a2067508ec73fd10152bd258dfab308313f4e77cf2c6ec7
      • Instruction ID: e969eb645ea5ade8606ff0f9ed6800d3c4158f84b4ff79635f406f9e3ae39c66
      • Opcode Fuzzy Hash: f692a8806b1b26d46a2067508ec73fd10152bd258dfab308313f4e77cf2c6ec7
      • Instruction Fuzzy Hash: C051F0B370165086EB24AF27E84075E77A0F799BA4F448A26EF4953364DB3CC541C308
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00468680 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 141COMMON
      Download Yara Rule
      APIs
      Strings
      • internal error: entered unreachable codecalled `Option::unwrap()` on a `None` value, xrefs: 0046882C
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: ErrorLast$FinalHandleNamePath
      • String ID: internal error: entered unreachable codecalled `Option::unwrap()` on a `None` value
      • API String ID: 1636761289-2307832163
      • Opcode ID: edc4e51d3128602fd9ae894cc14c8c2bcf7bf6fcdc6eaf9045bfd2a035c0bb86
      • Instruction ID: 09dddfacaa4b75998feffdc118c9c3fba7de0da9b58e763448528e6b0ff95f6a
      • Opcode Fuzzy Hash: edc4e51d3128602fd9ae894cc14c8c2bcf7bf6fcdc6eaf9045bfd2a035c0bb86
      • Instruction Fuzzy Hash: 6E411A62318B8085DA10AB22E90436AA760F7957E4F64471FFE5D43B95EF7CC5C1C70A
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0044A130 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 96COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: ErrorLast$FrequencyPerformanceQuery
      • String ID: attempt to divide by zero$called `Result::unwrap()` on an `Err` value$pCJ
      • API String ID: 1045536338-2307886941
      • Opcode ID: 0d126af691e6f874cf8258d94293a124a228aaa0781c4dc93ff3b71506b6f6e0
      • Instruction ID: 9c783f84375439ff8798dd01e756c973f8cf7e393809a48daa36364be95f69ba
      • Opcode Fuzzy Hash: 0d126af691e6f874cf8258d94293a124a228aaa0781c4dc93ff3b71506b6f6e0
      • Instruction Fuzzy Hash: 5531E2A1364B4482FB44EB52A8413EA7366F7C57C4F84902BEA4E07B59DF3CC556C34A
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004474B0 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 212COMMON
      Download Yara Rule
      Strings
      • use of std::thread::current() is not possible after the thread's local data has been destroyed, xrefs: 004477A7
      • combase.dll, xrefs: 0044776F, 004477D6
      • ($J, xrefs: 00447783
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID:
      • String ID: ($J$combase.dll$use of std::thread::current() is not possible after the thread's local data has been destroyed
      • API String ID: 0-3492916167
      • Opcode ID: 9562bc8f1152436cc4c267010d0043d2c3143bb6ccec0208915db55bfeb55d9a
      • Instruction ID: 1decd85f04789827a4771bab53902f8bfc9e638f1558b8d9662429196b6b424c
      • Opcode Fuzzy Hash: 9562bc8f1152436cc4c267010d0043d2c3143bb6ccec0208915db55bfeb55d9a
      • Instruction Fuzzy Hash: 0281F43221DB4081FA259B15E44136B67A1F785798F54892BEB8D07BA5DF3CD883C308
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00448770 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 184COMMON
      Download Yara Rule
      APIs
      • TlsGetValue.KERNEL32 ref: 00448785
      • TlsGetValue.KERNEL32 ref: 004487A5
      • TlsSetValue.KERNEL32 ref: 004487F3
        • Part of subcall function 00447A90: TlsAlloc.KERNEL32 ref: 00447AD2
        • Part of subcall function 00447A90: InitOnceComplete.KERNEL32 ref: 00447B0E
        • Part of subcall function 00448AA0: GetStdHandle.KERNEL32(?,?,?,?,?,00000669,00000000,?,00000651,00000661,004488EA), ref: 00448ABE
        • Part of subcall function 00448AA0: GetLastError.KERNEL32(?,?,?,?,?,00000669,00000000,?,00000651,00000661,004488EA), ref: 00448AD1
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: Value$AllocCompleteErrorHandleInitLastOnce
      • String ID: (6J$h6J
      • API String ID: 784984758-3621754839
      • Opcode ID: 7d19ad3f77d57446cee49991d5bf82987105582fd12aaedf94f875ce68cdb561
      • Instruction ID: a3af73dd382c0ce2977f857dcbe9616a7d97d17a18a34674fc33320bdb948585
      • Opcode Fuzzy Hash: 7d19ad3f77d57446cee49991d5bf82987105582fd12aaedf94f875ce68cdb561
      • Instruction Fuzzy Hash: 4A5124A2704A8481FE29AB16E5453BFA351B745BC8F58482FEF4A07755EF7CC482C309
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00401550 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 126COMMON
      Download Yara Rule
      APIs
      • memcpy.NTDLL ref: 004016F1
        • Part of subcall function 0048436F: AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,00000000,004015B0), ref: 0048437A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: AcquireExclusiveLockmemcpy
      • String ID: /,@$HwJ$YFI$combase.dll$failed to park thread
      • API String ID: 1311006694-3075031705
      • Opcode ID: b670f25a262e801e5387c2a5df4c8c689ab3603f499ed48da4ccbc4535dd423d
      • Instruction ID: 07f57ac6cf35a8efb967f4b212d4279e8a73e1b444c399bc15ead3e85e308208
      • Opcode Fuzzy Hash: b670f25a262e801e5387c2a5df4c8c689ab3603f499ed48da4ccbc4535dd423d
      • Instruction Fuzzy Hash: D3517A72209BC495EB329F19E4403DAB7A4FB89748F848126DB8C53765EF7DC18ACB04
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00448070 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 76COMMON
      Download Yara Rule
      APIs
      • TlsGetValue.KERNEL32 ref: 00448086
      • TlsGetValue.KERNEL32 ref: 004480B4
      • TlsSetValue.KERNEL32(?,?,00000000,?,00447D9B), ref: 0044810E
      Strings
      • combase.dll, xrefs: 004192C3
      • 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899000000000000000000000000000000000000000000000000000000000000, xrefs: 004191D0
      • UJ, xrefs: 00448205
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: Value
      • String ID: UJ$00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899000000000000000000000000000000000000000000000000000000000000$combase.dll
      • API String ID: 3702945584-1935050902
      • Opcode ID: 407be064bf772b445aa31f0cf87ec96f57eda334bd5938e9f082223c6ac8a9b8
      • Instruction ID: a39ffd7c37d441d0062b46f9d1bcb19dbe2325d4f6fdaf2f0ec18f81a02204fb
      • Opcode Fuzzy Hash: 407be064bf772b445aa31f0cf87ec96f57eda334bd5938e9f082223c6ac8a9b8
      • Instruction Fuzzy Hash: A721A471306A0186FB68AB16E95636F2261EB80784F44883FC74A57791DF3CC946D349
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004096CC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 201COMMON
      Download Yara Rule
      APIs
      • GetCurrentProcessId.KERNEL32 ref: 00409A6E
      Strings
      • combase.dll, xrefs: 00409ADA
      • usernameprocess_nameexecutablepidparent_process_nameppidarch, xrefs: 00409B36
      • Unknown: armv5armv6armv7arm64i386i586i686x86_64mipsmipselmips64mips64elpowerpcpowerpc64powerpc64leriscv32riscv64s390xsparcsparc64wasm32wasm64, xrefs: 00409722
      • encrypt_key, xrefs: 00409C04
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: CurrentProcess
      • String ID: Unknown: armv5armv6armv7arm64i386i586i686x86_64mipsmipselmips64mips64elpowerpcpowerpc64powerpc64leriscv32riscv64s390xsparcsparc64wasm32wasm64$combase.dll$encrypt_key$usernameprocess_nameexecutablepidparent_process_nameppidarch
      • API String ID: 2050909247-1727271318
      • Opcode ID: d482320e58b024831015a11798e330e10c9163bb73054276a1656c9a59d43b63
      • Instruction ID: 3d2a02c9621564347fa6ee0724f1e821eec9ad2aad262ed3cd1d00340cede865
      • Opcode Fuzzy Hash: d482320e58b024831015a11798e330e10c9163bb73054276a1656c9a59d43b63
      • Instruction Fuzzy Hash: 648190A2318AC191DA21EB12E5413EAA361FBC5BC4F809427DF4D17B8ADF3DC645C748
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004094F7 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 189COMMON
      Download Yara Rule
      APIs
      • GetCurrentProcessId.KERNEL32 ref: 00409A6E
      Strings
      • combase.dll, xrefs: 00409ADA
      • usernameprocess_nameexecutablepidparent_process_nameppidarch, xrefs: 00409B36
      • armv6armv7arm64i386i586i686x86_64mipsmipselmips64mips64elpowerpcpowerpc64powerpc64leriscv32riscv64s390xsparcsparc64wasm32wasm64, xrefs: 00409519
      • encrypt_key, xrefs: 00409C04
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: CurrentProcess
      • String ID: armv6armv7arm64i386i586i686x86_64mipsmipselmips64mips64elpowerpcpowerpc64powerpc64leriscv32riscv64s390xsparcsparc64wasm32wasm64$combase.dll$encrypt_key$usernameprocess_nameexecutablepidparent_process_nameppidarch
      • API String ID: 2050909247-1751261676
      • Opcode ID: f2eca58ccd6fe9c903b8c2a55dabff7e69a7b062c6b401d10c65b92c89e60f5b
      • Instruction ID: d383d139942eb6dca1e494431e00fcac640e3b10f64c7468bc30cc3faf8d13a4
      • Opcode Fuzzy Hash: f2eca58ccd6fe9c903b8c2a55dabff7e69a7b062c6b401d10c65b92c89e60f5b
      • Instruction Fuzzy Hash: 6071AFA2318AC191DA20EB12E5417EAA361FBC5BC4F849427DF4D17B8ADF3CC646C748
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040975B Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 188COMMON
      Download Yara Rule
      APIs
      • GetCurrentProcessId.KERNEL32 ref: 00409A6E
      Strings
      • combase.dll, xrefs: 00409ADA
      • usernameprocess_nameexecutablepidparent_process_nameppidarch, xrefs: 00409B36
      • x86_64mipsmipselmips64mips64elpowerpcpowerpc64powerpc64leriscv32riscv64s390xsparcsparc64wasm32wasm64, xrefs: 00409785, 004099C5
      • encrypt_key, xrefs: 00409C04
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: CurrentProcess
      • String ID: combase.dll$encrypt_key$usernameprocess_nameexecutablepidparent_process_nameppidarch$x86_64mipsmipselmips64mips64elpowerpcpowerpc64powerpc64leriscv32riscv64s390xsparcsparc64wasm32wasm64
      • API String ID: 2050909247-596227008
      • Opcode ID: 2277505b80e15e87b7b4e7714684bd9701e61f61fcb0ceba24f662ddf1a405e5
      • Instruction ID: 28b6542472ebed851e65a69ac263a75086d0d39dcc5cc103591b927135ba10c2
      • Opcode Fuzzy Hash: 2277505b80e15e87b7b4e7714684bd9701e61f61fcb0ceba24f662ddf1a405e5
      • Instruction Fuzzy Hash: 1171A2A2318AC191DA20EB12E5413EAA361FBC5BC4F849427DF4D17B8ADF3DC646C748
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00409797 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 188COMMON
      Download Yara Rule
      APIs
      • GetCurrentProcessId.KERNEL32 ref: 00409A6E
      Strings
      • combase.dll, xrefs: 00409ADA
      • usernameprocess_nameexecutablepidparent_process_nameppidarch, xrefs: 00409B36
      • arm64i386i586i686x86_64mipsmipselmips64mips64elpowerpcpowerpc64powerpc64leriscv32riscv64s390xsparcsparc64wasm32wasm64, xrefs: 004097C1
      • encrypt_key, xrefs: 00409C04
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: CurrentProcess
      • String ID: arm64i386i586i686x86_64mipsmipselmips64mips64elpowerpcpowerpc64powerpc64leriscv32riscv64s390xsparcsparc64wasm32wasm64$combase.dll$encrypt_key$usernameprocess_nameexecutablepidparent_process_nameppidarch
      • API String ID: 2050909247-1488543349
      • Opcode ID: 6233123e3aae671ba2ae2b697faa42eaf134363c43986d9b028fbfda51a8c230
      • Instruction ID: 4ba44e253738e296176a89f0725b1c56658ef8ba19259e0855adcd7598c57211
      • Opcode Fuzzy Hash: 6233123e3aae671ba2ae2b697faa42eaf134363c43986d9b028fbfda51a8c230
      • Instruction Fuzzy Hash: C671A2A2318AC191DA21EB12E5413EAA361FBC5BC4F849427DF4D17B8ADF3CC646C748
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004098DB Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 184COMMON
      Download Yara Rule
      APIs
      • GetCurrentProcessId.KERNEL32 ref: 00409A6E
      Strings
      • i386i586i686x86_64mipsmipselmips64mips64elpowerpcpowerpc64powerpc64leriscv32riscv64s390xsparcsparc64wasm32wasm64, xrefs: 004098DB
      • combase.dll, xrefs: 00409ADA
      • usernameprocess_nameexecutablepidparent_process_nameppidarch, xrefs: 00409B36
      • encrypt_key, xrefs: 00409C04
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: CurrentProcess
      • String ID: combase.dll$encrypt_key$i386i586i686x86_64mipsmipselmips64mips64elpowerpcpowerpc64powerpc64leriscv32riscv64s390xsparcsparc64wasm32wasm64$usernameprocess_nameexecutablepidparent_process_nameppidarch
      • API String ID: 2050909247-4243896386
      • Opcode ID: 651f6d791049cc1b3155b14524d02053d30e35535faef12eb4fc8727e62c8c7c
      • Instruction ID: c3a707151a22277549d41e09854bba7b28a32767a537cf166e3ae80906177315
      • Opcode Fuzzy Hash: 651f6d791049cc1b3155b14524d02053d30e35535faef12eb4fc8727e62c8c7c
      • Instruction Fuzzy Hash: A5719EA2318A8191DA20EB12E5413EAA361FB85BC4F849427DF4D17B9ADF3CC646C748
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004098E7 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 184COMMON
      Download Yara Rule
      APIs
      • GetCurrentProcessId.KERNEL32 ref: 00409A6E
      Strings
      • combase.dll, xrefs: 00409ADA
      • usernameprocess_nameexecutablepidparent_process_nameppidarch, xrefs: 00409B36
      • encrypt_key, xrefs: 00409C04
      • i586i686x86_64mipsmipselmips64mips64elpowerpcpowerpc64powerpc64leriscv32riscv64s390xsparcsparc64wasm32wasm64, xrefs: 004098E7
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: CurrentProcess
      • String ID: combase.dll$encrypt_key$i586i686x86_64mipsmipselmips64mips64elpowerpcpowerpc64powerpc64leriscv32riscv64s390xsparcsparc64wasm32wasm64$usernameprocess_nameexecutablepidparent_process_nameppidarch
      • API String ID: 2050909247-854136851
      • Opcode ID: fdd495792a70581d2a1f2411a101fd3d1eb415aa49341bc89a7f11078595cbed
      • Instruction ID: 52c2fc93fcaea71edfb74b3ff81b94ea345c6ee9099a0aebaa7d15fc58bf6e01
      • Opcode Fuzzy Hash: fdd495792a70581d2a1f2411a101fd3d1eb415aa49341bc89a7f11078595cbed
      • Instruction Fuzzy Hash: 07719FA2318A8191DA20EB12E5413EAA361FB85BC4F849427DF4D17B9ADF3CC646C748
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004098F3 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 184COMMON
      Download Yara Rule
      APIs
      • GetCurrentProcessId.KERNEL32 ref: 00409A6E
      Strings
      • combase.dll, xrefs: 00409ADA
      • usernameprocess_nameexecutablepidparent_process_nameppidarch, xrefs: 00409B36
      • x86_64mipsmipselmips64mips64elpowerpcpowerpc64powerpc64leriscv32riscv64s390xsparcsparc64wasm32wasm64, xrefs: 004099C5
      • encrypt_key, xrefs: 00409C04
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: CurrentProcess
      • String ID: combase.dll$encrypt_key$usernameprocess_nameexecutablepidparent_process_nameppidarch$x86_64mipsmipselmips64mips64elpowerpcpowerpc64powerpc64leriscv32riscv64s390xsparcsparc64wasm32wasm64
      • API String ID: 2050909247-596227008
      • Opcode ID: 41c6789e82b1b8cb264b200c698e81344917cd75e09a4463971b850d69b5d9d9
      • Instruction ID: e2d8b875ef2b4728725e872357dcce6b87d83e511f50f735cf35c541b815de93
      • Opcode Fuzzy Hash: 41c6789e82b1b8cb264b200c698e81344917cd75e09a4463971b850d69b5d9d9
      • Instruction Fuzzy Hash: 60719EA2318A8191DA20EB12E5413EAA361FB85BC4F849427DF4D17B9ADF3CC646C748
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040994D Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 183COMMON
      Download Yara Rule
      APIs
      • GetCurrentProcessId.KERNEL32 ref: 00409A6E
      Strings
      • combase.dll, xrefs: 00409ADA
      • usernameprocess_nameexecutablepidparent_process_nameppidarch, xrefs: 00409B36
      • x86_64mipsmipselmips64mips64elpowerpcpowerpc64powerpc64leriscv32riscv64s390xsparcsparc64wasm32wasm64, xrefs: 004099C5
      • encrypt_key, xrefs: 00409C04
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: CurrentProcess
      • String ID: combase.dll$encrypt_key$usernameprocess_nameexecutablepidparent_process_nameppidarch$x86_64mipsmipselmips64mips64elpowerpcpowerpc64powerpc64leriscv32riscv64s390xsparcsparc64wasm32wasm64
      • API String ID: 2050909247-596227008
      • Opcode ID: 649c50115be27756248a5330f4b46d85b178103384747d9b42295d9731fd35d1
      • Instruction ID: be030801d4242dfd3a16b65233c95e4df98ecfa76fc1a4c8065104e83dffcf8f
      • Opcode Fuzzy Hash: 649c50115be27756248a5330f4b46d85b178103384747d9b42295d9731fd35d1
      • Instruction Fuzzy Hash: 1A71AFA2318AC191DA20EB13E5413EAA361FB85BC4F849427DF4D17B8ADF3CC646C748
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00409956 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 183COMMON
      Download Yara Rule
      APIs
      • GetCurrentProcessId.KERNEL32 ref: 00409A6E
      Strings
      • combase.dll, xrefs: 00409ADA
      • usernameprocess_nameexecutablepidparent_process_nameppidarch, xrefs: 00409B36
      • x86_64mipsmipselmips64mips64elpowerpcpowerpc64powerpc64leriscv32riscv64s390xsparcsparc64wasm32wasm64, xrefs: 004099C5
      • encrypt_key, xrefs: 00409C04
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: CurrentProcess
      • String ID: combase.dll$encrypt_key$usernameprocess_nameexecutablepidparent_process_nameppidarch$x86_64mipsmipselmips64mips64elpowerpcpowerpc64powerpc64leriscv32riscv64s390xsparcsparc64wasm32wasm64
      • API String ID: 2050909247-596227008
      • Opcode ID: f8ab0e8e5d497bf7b8598ee3bf615ddde978d89ba48c81358a5d18cc0e0d7e24
      • Instruction ID: 21303537d3d91213f8819835f84349eb807d4b42c1cad507bfc52f5795a01061
      • Opcode Fuzzy Hash: f8ab0e8e5d497bf7b8598ee3bf615ddde978d89ba48c81358a5d18cc0e0d7e24
      • Instruction Fuzzy Hash: 1871AFA2318AC191DA20EB13E5413EAA361FB85BC4F849427DF4D17B8ADF3CC646C748
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00409917 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 183COMMON
      Download Yara Rule
      APIs
      • GetCurrentProcessId.KERNEL32 ref: 00409A6E
      Strings
      • combase.dll, xrefs: 00409ADA
      • usernameprocess_nameexecutablepidparent_process_nameppidarch, xrefs: 00409B36
      • x86_64mipsmipselmips64mips64elpowerpcpowerpc64powerpc64leriscv32riscv64s390xsparcsparc64wasm32wasm64, xrefs: 004099C5
      • encrypt_key, xrefs: 00409C04
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: CurrentProcess
      • String ID: combase.dll$encrypt_key$usernameprocess_nameexecutablepidparent_process_nameppidarch$x86_64mipsmipselmips64mips64elpowerpcpowerpc64powerpc64leriscv32riscv64s390xsparcsparc64wasm32wasm64
      • API String ID: 2050909247-596227008
      • Opcode ID: 3939bc474778c7656640d66074bddcf55914ff5de810effe24f1301f22feebb4
      • Instruction ID: 90ce33244f4350e0f7bc485ebfa540bfa58c966595c0a500b8ffd68e6201a9ec
      • Opcode Fuzzy Hash: 3939bc474778c7656640d66074bddcf55914ff5de810effe24f1301f22feebb4
      • Instruction Fuzzy Hash: C471AFA2318AC191DA20EB13E5413EAA361FB85BC4F849427DF4D17B8ADF3CC646C748
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00409926 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 183COMMON
      Download Yara Rule
      APIs
      • GetCurrentProcessId.KERNEL32 ref: 00409A6E
      Strings
      • combase.dll, xrefs: 00409ADA
      • usernameprocess_nameexecutablepidparent_process_nameppidarch, xrefs: 00409B36
      • x86_64mipsmipselmips64mips64elpowerpcpowerpc64powerpc64leriscv32riscv64s390xsparcsparc64wasm32wasm64, xrefs: 004099C5
      • encrypt_key, xrefs: 00409C04
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: CurrentProcess
      • String ID: combase.dll$encrypt_key$usernameprocess_nameexecutablepidparent_process_nameppidarch$x86_64mipsmipselmips64mips64elpowerpcpowerpc64powerpc64leriscv32riscv64s390xsparcsparc64wasm32wasm64
      • API String ID: 2050909247-596227008
      • Opcode ID: c4900d5fbf846d7299743e9c8ddaa2432bcb54c1e1be11a8b031945700d241a3
      • Instruction ID: cd7450ba13ae314e080e6292d6c8ff5b2cbe3c0bfac850ad48bdf6dbd0633d2a
      • Opcode Fuzzy Hash: c4900d5fbf846d7299743e9c8ddaa2432bcb54c1e1be11a8b031945700d241a3
      • Instruction Fuzzy Hash: BF71AFA2318AC191DA20EB13E5413EAA361FB85BC4F849427DF4D17B8ADF3CC646C748
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040992F Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 183COMMON
      Download Yara Rule
      APIs
      • GetCurrentProcessId.KERNEL32 ref: 00409A6E
      Strings
      • combase.dll, xrefs: 00409ADA
      • usernameprocess_nameexecutablepidparent_process_nameppidarch, xrefs: 00409B36
      • x86_64mipsmipselmips64mips64elpowerpcpowerpc64powerpc64leriscv32riscv64s390xsparcsparc64wasm32wasm64, xrefs: 004099C5
      • encrypt_key, xrefs: 00409C04
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: CurrentProcess
      • String ID: combase.dll$encrypt_key$usernameprocess_nameexecutablepidparent_process_nameppidarch$x86_64mipsmipselmips64mips64elpowerpcpowerpc64powerpc64leriscv32riscv64s390xsparcsparc64wasm32wasm64
      • API String ID: 2050909247-596227008
      • Opcode ID: 1e6d7ae35eb6db2b876005fd6bb547e7d511db83fd492e335707366891e8508d
      • Instruction ID: d3df1be475edcd4c80a656458d3802f5b273fa936c524cd98cec2c329255839c
      • Opcode Fuzzy Hash: 1e6d7ae35eb6db2b876005fd6bb547e7d511db83fd492e335707366891e8508d
      • Instruction Fuzzy Hash: 26719EA2318A8191DA20EB13E5413EAA361FB85BC4F849427DF4D17B8ADF3CC646C748
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040993E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 183COMMON
      Download Yara Rule
      APIs
      • GetCurrentProcessId.KERNEL32 ref: 00409A6E
      Strings
      • combase.dll, xrefs: 00409ADA
      • usernameprocess_nameexecutablepidparent_process_nameppidarch, xrefs: 00409B36
      • x86_64mipsmipselmips64mips64elpowerpcpowerpc64powerpc64leriscv32riscv64s390xsparcsparc64wasm32wasm64, xrefs: 004099C5
      • encrypt_key, xrefs: 00409C04
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: CurrentProcess
      • String ID: combase.dll$encrypt_key$usernameprocess_nameexecutablepidparent_process_nameppidarch$x86_64mipsmipselmips64mips64elpowerpcpowerpc64powerpc64leriscv32riscv64s390xsparcsparc64wasm32wasm64
      • API String ID: 2050909247-596227008
      • Opcode ID: ad9b71e27994ac0e62ad57058886beb23d54a8ebd5bb0dc950abd2027ae33a14
      • Instruction ID: 16d3f207711beae2151bab374fe84b98a18fdf345b49448845213e3e9bd9f4c0
      • Opcode Fuzzy Hash: ad9b71e27994ac0e62ad57058886beb23d54a8ebd5bb0dc950abd2027ae33a14
      • Instruction Fuzzy Hash: 16719EA2318AC191DA20EB12E5413EAA361FB85BC4F849427DF4D17B8ADF3CC646C748
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004098CF Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 182COMMON
      Download Yara Rule
      APIs
      • GetCurrentProcessId.KERNEL32 ref: 00409A6E
      Strings
      • combase.dll, xrefs: 00409ADA
      • usernameprocess_nameexecutablepidparent_process_nameppidarch, xrefs: 00409B36
      • encrypt_key, xrefs: 00409C04
      • armv7arm64i386i586i686x86_64mipsmipselmips64mips64elpowerpcpowerpc64powerpc64leriscv32riscv64s390xsparcsparc64wasm32wasm64, xrefs: 004098CF
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: CurrentProcess
      • String ID: armv7arm64i386i586i686x86_64mipsmipselmips64mips64elpowerpcpowerpc64powerpc64leriscv32riscv64s390xsparcsparc64wasm32wasm64$combase.dll$encrypt_key$usernameprocess_nameexecutablepidparent_process_nameppidarch
      • API String ID: 2050909247-4218117482
      • Opcode ID: c7f33ec54e036c357fddddf517c5625a6a7987c099954a42c81882f09bdc40d1
      • Instruction ID: 5f8ce665772777b0c48edcda3f7dfdad5724c3a47dbc6d342bba8cb126d0027f
      • Opcode Fuzzy Hash: c7f33ec54e036c357fddddf517c5625a6a7987c099954a42c81882f09bdc40d1
      • Instruction Fuzzy Hash: 1E71AFA2318AC191DA20EB12E5413EAA361FB85BC4F849427DF4D17B8ADF3CC646C748
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040995F Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 182COMMON
      Download Yara Rule
      APIs
      • GetCurrentProcessId.KERNEL32 ref: 00409A6E
      Strings
      • combase.dll, xrefs: 00409ADA
      • usernameprocess_nameexecutablepidparent_process_nameppidarch, xrefs: 00409B36
      • x86_64mipsmipselmips64mips64elpowerpcpowerpc64powerpc64leriscv32riscv64s390xsparcsparc64wasm32wasm64, xrefs: 004099C5
      • encrypt_key, xrefs: 00409C04
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: CurrentProcess
      • String ID: combase.dll$encrypt_key$usernameprocess_nameexecutablepidparent_process_nameppidarch$x86_64mipsmipselmips64mips64elpowerpcpowerpc64powerpc64leriscv32riscv64s390xsparcsparc64wasm32wasm64
      • API String ID: 2050909247-596227008
      • Opcode ID: b3302d02946baf1ff969eeb3b010e95291ea374070706e0f22ae6b1da4c819b5
      • Instruction ID: fabcfd1224050118088fee7afb64674cba01d9fafaf93e59a444b00f7b45d160
      • Opcode Fuzzy Hash: b3302d02946baf1ff969eeb3b010e95291ea374070706e0f22ae6b1da4c819b5
      • Instruction Fuzzy Hash: 96719FA2318AC191DA20EB16E5413EAA361FB85BC4F849427DF4D17B9ADF3CC646C748
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00409968 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 182COMMON
      Download Yara Rule
      APIs
      • GetCurrentProcessId.KERNEL32 ref: 00409A6E
      Strings
      • combase.dll, xrefs: 00409ADA
      • usernameprocess_nameexecutablepidparent_process_nameppidarch, xrefs: 00409B36
      • x86_64mipsmipselmips64mips64elpowerpcpowerpc64powerpc64leriscv32riscv64s390xsparcsparc64wasm32wasm64, xrefs: 004099C5
      • encrypt_key, xrefs: 00409C04
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: CurrentProcess
      • String ID: combase.dll$encrypt_key$usernameprocess_nameexecutablepidparent_process_nameppidarch$x86_64mipsmipselmips64mips64elpowerpcpowerpc64powerpc64leriscv32riscv64s390xsparcsparc64wasm32wasm64
      • API String ID: 2050909247-596227008
      • Opcode ID: 5d4b0fb8924e3f565d61ffc593985b9645121c9614853a5a4622a10fda47c348
      • Instruction ID: 264023c17e8c03c2d7cf281ae4c630f5273ef8060c697cf069b5dead581ec5ce
      • Opcode Fuzzy Hash: 5d4b0fb8924e3f565d61ffc593985b9645121c9614853a5a4622a10fda47c348
      • Instruction Fuzzy Hash: 6A719FA2318AC191DA20EB16E5413EAA361FB85BC4F849427DF4D17B9ADF3CC646C748
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00409971 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 182COMMON
      Download Yara Rule
      APIs
      • GetCurrentProcessId.KERNEL32 ref: 00409A6E
      Strings
      • combase.dll, xrefs: 00409ADA
      • usernameprocess_nameexecutablepidparent_process_nameppidarch, xrefs: 00409B36
      • x86_64mipsmipselmips64mips64elpowerpcpowerpc64powerpc64leriscv32riscv64s390xsparcsparc64wasm32wasm64, xrefs: 004099C5
      • encrypt_key, xrefs: 00409C04
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: CurrentProcess
      • String ID: combase.dll$encrypt_key$usernameprocess_nameexecutablepidparent_process_nameppidarch$x86_64mipsmipselmips64mips64elpowerpcpowerpc64powerpc64leriscv32riscv64s390xsparcsparc64wasm32wasm64
      • API String ID: 2050909247-596227008
      • Opcode ID: 74fa3941685297f70ace88943f215e3bf32a288af1eaea7bcedb3258df9b7f11
      • Instruction ID: 1ea11f3b61beea334b8484c282696e5a67a0a2b4e81eb77ae7db8c1bde00e48d
      • Opcode Fuzzy Hash: 74fa3941685297f70ace88943f215e3bf32a288af1eaea7bcedb3258df9b7f11
      • Instruction Fuzzy Hash: CC71AFA2318AC191DA20EB13E5413EAA361FB85BC4F849427DF4D17B8ADF3CC646C748
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00449980 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,?,004659CE), ref: 00449B53
      • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,?,004659CE), ref: 00449B67
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: AddressHandleModuleProc
      • String ID: SetThreadDescription$kernel32$xNJ
      • API String ID: 1646373207-231013144
      • Opcode ID: 19338f6f3c5fdb357c988e7d888f81a0bd47133a7b76a212ab88d5a7a508688c
      • Instruction ID: e6eca30781c4cceba728a897ae03043945364c7c6e49f1ec7459961332f604f9
      • Opcode Fuzzy Hash: 19338f6f3c5fdb357c988e7d888f81a0bd47133a7b76a212ab88d5a7a508688c
      • Instruction Fuzzy Hash: 40410262604B8082FB25AB05E4493AF73A0F7847D8F44852BEA8D037D4EBBCC8C5D709
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0048FBD0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: Library$AddressFreeLoadProc
      • String ID: VirtualFree$kernel32.dll
      • API String ID: 145871493-864021412
      • Opcode ID: 7180d367bbae0bb60fe8c266bbd8153e8e1dc34418ee9e501a497c092be2ea72
      • Instruction ID: dd7c71e77dcbd68ae20174b47063b1b51af620b4e0ce0ab1d5f2ffa35827ebf6
      • Opcode Fuzzy Hash: 7180d367bbae0bb60fe8c266bbd8153e8e1dc34418ee9e501a497c092be2ea72
      • Instruction Fuzzy Hash: D4018166712A0480EB15EB26F86036923A4FB8CFD8F584836CE1D47354EF3CD489C318
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00447A90 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91memoryCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: AllocCompleteInitOnce
      • String ID: UJ$combase.dll
      • API String ID: 622421136-3317273432
      • Opcode ID: 5693e1a81dea9c89508625276da9af7dd200d636fa32bd8efa79d435eaa6da60
      • Instruction ID: 0c7f37b5a4fa61dc74f7f223b3fb5a1f6a6a36736a305343acc11c09f8def3a8
      • Opcode Fuzzy Hash: 5693e1a81dea9c89508625276da9af7dd200d636fa32bd8efa79d435eaa6da60
      • Instruction Fuzzy Hash: 8031E433628A4086E720EF25E84035F73A1F78535CF54922AE79A43B65EF3CD586CB48
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00448340 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: AddressHandleModuleProc
      • String ID: NtReleaseKeyedEvent$ntdll
      • API String ID: 1646373207-31681898
      • Opcode ID: b669de693e91e8035f0c3efbc9e39ae26a8d76159853555db6b7b3384fc08083
      • Instruction ID: 85282f263cde58473eee6c6e1d8d62b593f5d12a8f8c4afcfe5f37076a34335f
      • Opcode Fuzzy Hash: b669de693e91e8035f0c3efbc9e39ae26a8d76159853555db6b7b3384fc08083
      • Instruction Fuzzy Hash: C401BCA2305B4490EA14EF02B880799B7A4FB99BC4F84512EEE8D03B28EF3CC461C704
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00412D30 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 237memoryCOMMON
      Download Yara Rule
      APIs
      • memcpy.NTDLL(?,?,?,?,?,?,00402444), ref: 00412D86
      • HeapReAlloc.KERNEL32 ref: 00412F2A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: AllocHeapmemcpy
      • String ID: called `Option::unwrap()` on a `None` value$MI
      • API String ID: 242294866-4111934126
      • Opcode ID: bfc4c43b9d2b9a64783e80ac5d49f0b41a501b55486b1567ac0c2c86c54b60aa
      • Instruction ID: c0802f47e93c3dac0b93daeee877d1125750ee938e5287c331bdf24b317447fa
      • Opcode Fuzzy Hash: bfc4c43b9d2b9a64783e80ac5d49f0b41a501b55486b1567ac0c2c86c54b60aa
      • Instruction Fuzzy Hash: C071A67230578442DA159F12EA403EA67A1F785BD4F188027EF8E87B59DBBCC5E38308
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004894A0 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: abort$CaptureContextExceptionRaiseUnwind
      • String ID:
      • API String ID: 4122134289-0
      • Opcode ID: f7998fc03c1d81965a32b286e25d1523564382699c2f31294b0d80ee4dab9acb
      • Instruction ID: 1867441abff502beea3adc52dd614a8110d62dffd13ee90cabc799346d0ee8c8
      • Opcode Fuzzy Hash: f7998fc03c1d81965a32b286e25d1523564382699c2f31294b0d80ee4dab9acb
      • Instruction Fuzzy Hash: 6D112B72215B8485DB60AF56E4403AEB7A4F388BD8F54052AEB8D03B58CF78C555CB04
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00421707 Relevance: 5.4, APIs: 4, Instructions: 359COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: memcpy
      • String ID:
      • API String ID: 3510742995-0
      • Opcode ID: e08f1b083afc5e51faabc2af601c8151d99858a2b10705f5cacf2ad83f4b3262
      • Instruction ID: 0add38830c8173087b3bb49081eb8dcae5f1a686f3c1f1caaa8d8f12e460718b
      • Opcode Fuzzy Hash: e08f1b083afc5e51faabc2af601c8151d99858a2b10705f5cacf2ad83f4b3262
      • Instruction Fuzzy Hash: F0223932519FC480E6368B18E4453EAB3B4FFA8789F456216DFC913725EB39D296CB04
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00429083 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON
      Download Yara Rule
      APIs
      • AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,00429663), ref: 0042909C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: AcquireExclusiveLock
      • String ID: called `Result::unwrap()` on an `Err` value$I
      • API String ID: 4021432409-1150075796
      • Opcode ID: b008d6daf4a8b1531643efaa558693785582329238bfca76963c0ce434211b51
      • Instruction ID: 316bb855acd62fa3dd3cd14cf2cf5872baa00832da3106855aac27f3075ad4a9
      • Opcode Fuzzy Hash: b008d6daf4a8b1531643efaa558693785582329238bfca76963c0ce434211b51
      • Instruction Fuzzy Hash: E021AFB2715A64A1EA00DB27E9543AE6321F744BD8F94841BDE0A03B14DF3ED9A7C309
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00401010 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: __set_app_type
      • String ID: 0rK$@lK
      • API String ID: 1108511539-726316708
      • Opcode ID: 0935b04110ed02e6e096746e49978f4c5456667156d4d610ffd34295d06d863c
      • Instruction ID: df23da00df701f1420172c7f9c9c89d48c6ec591740481199025795e7db7e694
      • Opcode Fuzzy Hash: 0935b04110ed02e6e096746e49978f4c5456667156d4d610ffd34295d06d863c
      • Instruction Fuzzy Hash: F121BAB1700685C6EB54AF1AC8903AE37A1F786B40F85C427DB0A177B1CB7E88C5C70A
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004108B0 Relevance: 5.1, APIs: 4, Instructions: 63memoryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.1629261620.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1629243950.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629309978.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629327755.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629365667.00000000004B8000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1629382470.00000000004B9000.00000008.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_doc-1.jbxd
      Similarity
      • API ID: Heap$AllocFreeProcessmemcpy
      • String ID:
      • API String ID: 3455684755-0
      • Opcode ID: cec556d09c57f7eeb9699062616b9155d7618854b64edc0a9ced5fc5fb26312d
      • Instruction ID: 0f40c26e7bd1b90fca42de00878b67e58e3af02eda90d97df94aa468f626e80e
      • Opcode Fuzzy Hash: cec556d09c57f7eeb9699062616b9155d7618854b64edc0a9ced5fc5fb26312d
      • Instruction Fuzzy Hash: E711E5A271566441FE05EB57AA503BA26912B98BE4F494C3B9E0D07796EE3CC0D39308
      Uniqueness

      Uniqueness Score: -1.00%