Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
hiYc6Vnppc.exe

Overview

General Information

Sample Name:hiYc6Vnppc.exe
Analysis ID:582342
MD5:0c84297632dffe68994d744487849fd5
SHA1:e91fc4c3a570950f7cebb691b75ba57990f0ee74
SHA256:6ccf16f1d1a495de9f5e7c1b60dd09da612ba2355887ebeb56cc1cacb5d64a5e
Tags:exe
Infos:

Detection

Allcome clipbanker
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Allcome clipbanker
PE file has nameless sections
Machine Learning detection for sample
Contains functionality to detect sleep reduction / modifications
Uses 32bit PE files
Sample file is different than original file name gathered from version info
One or more processes crash
PE file contains an invalid checksum
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to communicate with device drivers
May check if the current machine is a sandbox (GetTickCount - Sleep)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • hiYc6Vnppc.exe (PID: 2328 cmdline: "C:\Users\user\Desktop\hiYc6Vnppc.exe" MD5: 0C84297632DFFE68994D744487849FD5)
    • WerFault.exe (PID: 5504 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 412 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Allcome clipbanker

{"C2 url": "http://dba692117be7b6d3480fe5220fdd58b38bf.xyz/API/Clipper/configure.php?cf6zrlhn=QWERTY", "Wallet": ["DPUnu15wbXcvTwEuQssdD48Q9iZUModBEG", "rh2nM92mFC5XfDXu9AcAUvzivX4ZQerLx4", "0xAC63c256f3F5F03d63F4F206F8E030232461e8d5", "Xaume5k7mVQqgDfJyTtysF721e6gvTkY7M", "TMSpq8DHdUeJ8KzVj8bnNuQKB6fEWYhR5i", "t1P9vxqf7nYQ4tHpo7TUfsXMpiQq14RMpC5", "GAGATITC6CREAQAVLZNORIHVBB4P6SXHTXPF7FYBR3VOSSUDVBT5TIV3", "qpm92rqxzejjn0ur9tl53gk87u7nlzw2zs6qz8djkn", "bc1q6sjafgxlmrxwdhh0v5zu58f48pvaqc04hvedl0", "0xAC63c256f3F5F03d63F4F206F8E030232461e8d5", "ltc1qn66m2mfk4txmgvz9lhm6q8ffetklqf2rak4qqc"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000000.328776321.0000000000430000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_AllcomeclipbankerYara detected Allcome clipbankerJoe Security
    00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_AllcomeclipbankerYara detected Allcome clipbankerJoe Security
      00000000.00000000.332292030.0000000000430000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_AllcomeclipbankerYara detected Allcome clipbankerJoe Security
        Process Memory Space: hiYc6Vnppc.exe PID: 2328JoeSecurity_AllcomeclipbankerYara detected Allcome clipbankerJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.hiYc6Vnppc.exe.43056c.2.raw.unpackJoeSecurity_AllcomeclipbankerYara detected Allcome clipbankerJoe Security
            0.0.hiYc6Vnppc.exe.43056c.2.unpackJoeSecurity_AllcomeclipbankerYara detected Allcome clipbankerJoe Security
              0.0.hiYc6Vnppc.exe.43056c.4.raw.unpackJoeSecurity_AllcomeclipbankerYara detected Allcome clipbankerJoe Security
                0.2.hiYc6Vnppc.exe.43056c.1.unpackJoeSecurity_AllcomeclipbankerYara detected Allcome clipbankerJoe Security
                  0.2.hiYc6Vnppc.exe.43056c.1.raw.unpackJoeSecurity_AllcomeclipbankerYara detected Allcome clipbankerJoe Security
                    Click to see the 1 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: hiYc6Vnppc.exeAvira: detected
                    Found malware configuration
                    Source: 0.2.hiYc6Vnppc.exe.43056c.1.raw.unpackMalware Configuration Extractor: Allcome clipbanker {"C2 url": "http://dba692117be7b6d3480fe5220fdd58b38bf.xyz/API/Clipper/configure.php?cf6zrlhn=QWERTY", "Wallet": ["DPUnu15wbXcvTwEuQssdD48Q9iZUModBEG", "rh2nM92mFC5XfDXu9AcAUvzivX4ZQerLx4", "0xAC63c256f3F5F03d63F4F206F8E030232461e8d5", "Xaume5k7mVQqgDfJyTtysF721e6gvTkY7M", "TMSpq8DHdUeJ8KzVj8bnNuQKB6fEWYhR5i", "t1P9vxqf7nYQ4tHpo7TUfsXMpiQq14RMpC5", "GAGATITC6CREAQAVLZNORIHVBB4P6SXHTXPF7FYBR3VOSSUDVBT5TIV3", "qpm92rqxzejjn0ur9tl53gk87u7nlzw2zs6qz8djkn", "bc1q6sjafgxlmrxwdhh0v5zu58f48pvaqc04hvedl0", "0xAC63c256f3F5F03d63F4F206F8E030232461e8d5", "ltc1qn66m2mfk4txmgvz9lhm6q8ffetklqf2rak4qqc"]}
                    Multi AV Scanner detection for submitted file
                    Source: hiYc6Vnppc.exeVirustotal: Detection: 65%Perma Link
                    Source: hiYc6Vnppc.exeMetadefender: Detection: 23%Perma Link
                    Source: hiYc6Vnppc.exeReversingLabs: Detection: 79%
                    Machine Learning detection for sample
                    Source: hiYc6Vnppc.exeJoe Sandbox ML: detected
                    Source: hiYc6Vnppc.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                    Source: Binary string: C:\Users\youar\Desktop\Allcome\Source code\Build\Release\Build.pdb source: hiYc6Vnppc.exe, 00000000.00000000.328776321.0000000000430000.00000040.00000001.01000000.00000003.sdmp
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0040AF20 FindFirstFileExW,0_2_0040AF20
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0040AFFB FindFirstFileExW,_free,0_2_0040AFFB
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_021975C8 FindFirstFileA,0_2_021975C8
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_021976A4 FindFirstFileA,GetLastError,0_2_021976A4
                    Source: hiYc6Vnppc.exe, 00000000.00000000.328776321.0000000000430000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://steamcommunity.com/tradeoffer

                    System Summary

                    barindex
                    PE file has nameless sections
                    Source: hiYc6Vnppc.exeStatic PE information: section name:
                    Source: hiYc6Vnppc.exeStatic PE information: section name:
                    Source: hiYc6Vnppc.exeStatic PE information: section name:
                    Source: hiYc6Vnppc.exeStatic PE information: section name:
                    Source: hiYc6Vnppc.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                    Source: hiYc6Vnppc.exeBinary or memory string: OriginalFilename vs hiYc6Vnppc.exe
                    Source: hiYc6Vnppc.exe, 00000000.00000000.333294097.0000000002191000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs hiYc6Vnppc.exe
                    Source: hiYc6Vnppc.exe, 00000000.00000000.333294097.0000000002191000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSV vs hiYc6Vnppc.exe
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 412
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0040E8900_2_0040E890
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_00411D7C0_2_00411D7C
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0040ED280_2_0040ED28
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_004066440_2_00406644
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_004136820_2_00413682
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_00411E9C0_2_00411E9C
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_021B62D80_2_021B62D8
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_021AC9800_2_021AC980
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_021AB1D80_2_021AB1D8
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: String function: 00403290 appears 34 times
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_021BDB00 SetFocus,SendMessageA,DestroyWindow,DestroyWindow,DestroyWindow,DestroyWindow,NtdllDefWindowProc_A,0_2_021BDB00
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_021B02C0: CreateFileA,DeviceIoControl,CloseHandle,0_2_021B02C0
                    Source: hiYc6Vnppc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
                    Source: hiYc6Vnppc.exeStatic PE information: Section: ZLIB complexity 1.00047692587
                    Source: hiYc6Vnppc.exeStatic PE information: Section: ZLIB complexity 1.00079571759
                    Source: hiYc6Vnppc.exeStatic PE information: Section: ZLIB complexity 1.004296875
                    Source: hiYc6Vnppc.exeStatic PE information: Section: .rsrc ZLIB complexity 0.998780708092
                    Source: hiYc6Vnppc.exeVirustotal: Detection: 65%
                    Source: hiYc6Vnppc.exeMetadefender: Detection: 23%
                    Source: hiYc6Vnppc.exeReversingLabs: Detection: 79%
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\hiYc6Vnppc.exe "C:\Users\user\Desktop\hiYc6Vnppc.exe"
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 412
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2328
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_00401B30 CreateThread,Sleep,GetSystemInfo,FindResourceA,LoadResource,SizeofResource,ExitProcess,ExitProcess,LockResource,VirtualProtect,LdrInitializeThunk,0_2_00401B30
                    Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERBBF4.tmpJump to behavior
                    Source: classification engineClassification label: mal84.troj.evad.winEXE@2/4@0/0
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_02197878 GetDiskFreeSpaceA,0_2_02197878
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: hiYc6Vnppc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: C:\Users\youar\Desktop\Allcome\Source code\Build\Release\Build.pdb source: hiYc6Vnppc.exe, 00000000.00000000.328776321.0000000000430000.00000040.00000001.01000000.00000003.sdmp
                    Source: hiYc6Vnppc.exeStatic PE information: real checksum: 0x53bcc should be: 0x805ec
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0045145C push 021EE000h; ret 0_2_00451627
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0041D846 push ds; ret 0_2_0041D847
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0041D804 push ds; ret 0_2_0041D81B
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0041C80E push ds; ret 0_2_0041C80F
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0045100A push ebp; ret 0_2_0045100D
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0041D81C push ds; ret 0_2_0041D823
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0041D824 push ds; ret 0_2_0041D82B
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0041D82C push ds; ret 0_2_0041D833
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0041D834 push ds; ret 0_2_0041D83B
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0041D83C push ds; ret 0_2_0041D843
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0041627C push esp; ret 0_2_0041627D
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0041DBC4 push ds; ret 0_2_0041DBDF
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0041DBE0 push ds; ret 0_2_0041DBE7
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0041DBEA push ds; ret 0_2_0041DBEB
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_00419CFD push esi; ret 0_2_00419D06
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0041BE9F push es; ret 0_2_0041BEA6
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0041D754 push ds; ret 0_2_0041D767
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0041D760 push ds; ret 0_2_0041D767
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0041D768 push ds; ret 0_2_0041D7CB
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0041D73C push ds; ret 0_2_0041D753
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0041D7CC push 0000006Ah; ret 0_2_0041D7CF
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0041D7D0 push ds; ret 0_2_0041D7E3
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0041D7E4 push ds; ret 0_2_0041D7EB
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0041D7EC push ds; ret 0_2_0041D7F3
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0041D7F4 push ds; ret 0_2_0041D7FB
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0041D7FC push ds; ret 0_2_0041D803
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_021B6A18 push ecx; mov dword ptr [esp], edx0_2_021B6A1C
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_021ADA20 push 021ADA4Ch; ret 0_2_021ADA44
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0219D294 push 0219D2C0h; ret 0_2_0219D2B8
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_021A72BC push 021A72E8h; ret 0_2_021A72E0
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_021A9AA4 push 021A9AD0h; ret 0_2_021A9AC8
                    Source: hiYc6Vnppc.exeStatic PE information: section name:
                    Source: hiYc6Vnppc.exeStatic PE information: section name:
                    Source: hiYc6Vnppc.exeStatic PE information: section name:
                    Source: hiYc6Vnppc.exeStatic PE information: section name:
                    Source: hiYc6Vnppc.exeStatic PE information: section name: .adata
                    Source: initial sampleStatic PE information: section name: entropy: 7.99567995228
                    Source: initial sampleStatic PE information: section name: entropy: 7.98696648963
                    Source: initial sampleStatic PE information: section name: entropy: 7.92802135641
                    Source: initial sampleStatic PE information: section name: .rsrc entropy: 7.99660500201
                    Source: initial sampleStatic PE information: section name: .data entropy: 7.86896555158
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Contains functionality to detect sleep reduction / modifications
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_00401AE00_2_00401AE0
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_00401AE00_2_00401AE0
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_021C0A10 rdtsc 0_2_021C0A10
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_00401B30 CreateThread,Sleep,GetSystemInfo,FindResourceA,LoadResource,SizeofResource,ExitProcess,ExitProcess,LockResource,VirtualProtect,LdrInitializeThunk,0_2_00401B30
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0040AF20 FindFirstFileExW,0_2_0040AF20
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0040AFFB FindFirstFileExW,_free,0_2_0040AFFB
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_021975C8 FindFirstFileA,0_2_021975C8
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_021976A4 FindFirstFileA,GetLastError,0_2_021976A4
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeAPI call chain: ExitProcess graph end nodegraph_0-21115
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeAPI call chain: ExitProcess graph end nodegraph_0-21465
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_00407A6D mov eax, dword ptr fs:[00000030h]0_2_00407A6D
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0040C39C mov eax, dword ptr fs:[00000030h]0_2_0040C39C
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0040CE43 GetProcessHeap,0_2_0040CE43
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_021C0A10 rdtsc 0_2_021C0A10
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_00401B30 CreateThread,Sleep,GetSystemInfo,FindResourceA,LoadResource,SizeofResource,ExitProcess,ExitProcess,LockResource,VirtualProtect,LdrInitializeThunk,0_2_00401B30
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_004031C0 SetUnhandledExceptionFilter,0_2_004031C0
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0040305E SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0040305E
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_004058B3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004058B3
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_004034F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004034F4
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpy,GetLocaleInfoA,lstrlen,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,0_2_02194CB8
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_00403314 cpuid 0_2_00403314
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_021C030C GetVersionExA,GetVersionExA,0_2_021C030C
                    Source: C:\Users\user\Desktop\hiYc6Vnppc.exeCode function: 0_2_0219D318 GetLocalTime,0_2_0219D318

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Allcome clipbanker
                    Source: Yara matchFile source: 0.0.hiYc6Vnppc.exe.43056c.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.hiYc6Vnppc.exe.43056c.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.hiYc6Vnppc.exe.43056c.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hiYc6Vnppc.exe.43056c.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hiYc6Vnppc.exe.43056c.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.hiYc6Vnppc.exe.43056c.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.328776321.0000000000430000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.332292030.0000000000430000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: hiYc6Vnppc.exe PID: 2328, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected Allcome clipbanker
                    Source: Yara matchFile source: 0.0.hiYc6Vnppc.exe.43056c.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.hiYc6Vnppc.exe.43056c.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.hiYc6Vnppc.exe.43056c.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hiYc6Vnppc.exe.43056c.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hiYc6Vnppc.exe.43056c.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.hiYc6Vnppc.exe.43056c.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.328776321.0000000000430000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.332292030.0000000000430000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: hiYc6Vnppc.exe PID: 2328, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid AccountsWindows Management InstrumentationPath Interception1
                    Process Injection                    		1
                    Virtualization/Sandbox Evasion                    		OS Credential Dumping1
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		Exfiltration Over Other Network Medium1
                    Encrypted Channel                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts2
                    Software Packing                    		LSASS Memory14
                    Security Software Discovery                    		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
                    Process Injection                    		Security Account Manager1
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                    Deobfuscate/Decode Files or Information                    		NTDS1
                    File and Directory Discovery                    		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script3
                    Obfuscated Files or Information                    		LSA Secrets25
                    System Information Discovery                    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials1
                    Remote System Discovery                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    hiYc6Vnppc.exe66%VirustotalBrowse
                    hiYc6Vnppc.exe24%MetadefenderBrowse
                    hiYc6Vnppc.exe79%ReversingLabsWin32.Trojan.AgentTesla
                    hiYc6Vnppc.exe100%AviraTR/Crypt.Agent.lshmn
                    hiYc6Vnppc.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    0.2.hiYc6Vnppc.exe.400000.0.unpack100%AviraHEUR/AGEN.1230732Download File
                    0.2.hiYc6Vnppc.exe.43056c.1.unpack100%AviraHEUR/AGEN.1215503Download File
                    0.0.hiYc6Vnppc.exe.400000.0.unpack100%AviraHEUR/AGEN.1215824Download File
                    0.0.hiYc6Vnppc.exe.400000.1.unpack100%AviraHEUR/AGEN.1215824Download File
                    0.0.hiYc6Vnppc.exe.400000.3.unpack100%AviraHEUR/AGEN.1215824Download File

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://steamcommunity.com/tradeofferhiYc6Vnppc.exe, 00000000.00000000.328776321.0000000000430000.00000040.00000001.01000000.00000003.sdmpfalse
                      		high

                      World Map of Contacted IPs

                      No contacted IP infos

                      General Information

                      Joe Sandbox Version:34.0.0 Boulder Opal
                      Analysis ID:582342
                      Start date:03.03.2022
                      Start time:12:30:57
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 6m 57s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Sample file name:hiYc6Vnppc.exe
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:9
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal84.troj.evad.winEXE@2/4@0/0
                      EGA Information:
                      • Successful, ratio: 100%
                      HDC Information:Failed
                      HCA Information:
                      • Successful, ratio: 78%
                      • Number of executed functions: 24
                      • Number of non-executed functions: 65
                      Cookbook Comments:
                      • Adjust boot time
                      • Enable AMSI
                      • Found application associated with file extension: .exe

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
                      • Excluded IPs from analysis (whitelisted): 104.208.16.94
                      • Excluded domains from analysis (whitelisted): blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, watson.telemetry.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
                      • Not all processes where analyzed, report is missing behavior information

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      12:32:07API Interceptor1x Sleep call for process: hiYc6Vnppc.exe modified
                      12:32:27API Interceptor1x Sleep call for process: WerFault.exe modified

                      Joe Sandbox View / Context

                      IPs

                      No context

                      Domains

                      No context

                      ASNs

                      No context

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_hiYc6Vnppc.exe_b0d78236e65c5dc4ede9cda029eafd3eac4aca1b_983f6238_15bdd112\Report.wer

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65536
                      Entropy (8bit):0.7760010118857009
                      Encrypted:false
                      SSDEEP:96:rDOVgFw5fCPn2Y0Lh457df0pXIQcQvc6QcEDMcw3Dj+HbHg/8BRTf3+kEJ8ImOyZ:ygUfin2YcHBUZMXAjcK/u7s0S274ItU
                      MD5:55B1BA3A1951AC21064E16CEA531C3BA
                      SHA1:C5675C7FA6613D25DDFA61B520DEED700FE558B1
                      SHA-256:865E8AE2EFF8EA9370444CF2502612D21CD1DE3F7820FC2D78C0E423DC95ED58
                      SHA-512:0CF1ADBBF9378850364800A216118414EF353CAC664EB832D7AD3BDA7A005EB12AF01430D4EB71937B39F4DBD59B2E323E0EAA8864D0802FD3512640E94D1347
                      Malicious:true
                      Reputation:low
                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.0.8.1.3.1.4.2.4.4.8.6.5.0.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.0.8.1.3.1.4.4.3.5.4.8.5.0.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.c.3.b.0.6.2.a.-.7.0.7.f.-.4.b.8.0.-.9.d.e.0.-.a.3.d.6.0.5.f.2.1.d.6.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.4.d.5.4.d.3.7.-.2.3.2.4.-.4.f.f.e.-.b.1.2.7.-.8.d.c.5.d.4.5.a.6.c.2.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.h.i.Y.c.6.V.n.p.p.c...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.9.1.8.-.0.0.0.1.-.0.0.1.c.-.e.5.0.0.-.f.4.b.b.3.d.2.f.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.b.3.a.2.3.f.4.4.4.0.d.9.6.f.c.b.b.5.5.b.1.1.2.d.7.b.a.9.5.e.c.0.0.0.0.f.f.f.f.!.0.0.0.0.e.9.1.f.c.4.c.3.a.5.7.0.9.5.0.f.7.c.e.b.b.6.9.1.b.7.5.b.a.5.7.9.9.0.f.0.e.e.7.4.!.h.i.Y.c.6.V.n.p.p.c...e.x.e.....T.a.r.g.e.t.A.p.p.

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERBBF4.tmp.dmp

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Mini DuMP crash report, 14 streams, Thu Mar 3 20:32:22 2022, 0x1205a4 type
                      Category:dropped
                      Size (bytes):35934
                      Entropy (8bit):2.215766478248911
                      Encrypted:false
                      SSDEEP:192:jC6WuIqHPK+Ont31TEVhxJI5ioY3zfmg8lI026Vz5Xo:WsHPontOPI5ioY3zfi268
                      MD5:F5F39E7A4458705EF353DEB1C3B09D28
                      SHA1:31D40F28955A8B9A2C8C6B31F88B376CFC985118
                      SHA-256:1310D916175463DBACBE1936CA3EBE5B7D2CD2B7A679DD86DE815216493D66DE
                      SHA-512:10E02009E131679FCEF78CAB966ADCB9E3EE1CA2D0A703E320F99BC54D9257102E3D30A184E80869B5101E15FD5F014E760034BAEB6AAB1B874BD680A8BC5F05
                      Malicious:false
                      Reputation:low
                      Preview:MDMP....... ........%!b....................................4...B#..........T.......8...........T...............F{...........................................................................................U...........B..............GenuineIntelW...........T............%!b.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE85.tmp.WERInternalMetadata.xml

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):8308
                      Entropy (8bit):3.698099255745368
                      Encrypted:false
                      SSDEEP:192:Rrl7r3GLNikV63Nd6YF9SUWh98ygmf3SXCprk89bKJsfzOm:RrlsNi+63Nd6Y/SUu95gmf3SuKifz
                      MD5:A5CBE426612154DC627AE7D4F0017BA8
                      SHA1:FB4EDBA3147A0BEF9CAB96AFACF53A3A4EF0BC85
                      SHA-256:A03FF1E7825FA9B08D9A6F8D317437C82140126B35BAB67381CFE564CCDBCA33
                      SHA-512:5CBE3E2A4AB2689FABF1139320C305702E72D471C6F77B6E76C8B7C0AC7495E859886360C5983B6305A4300D5B014EF65495B77F1A350BAD99A9927202071936
                      Malicious:false
                      Reputation:low
                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.3.2.8.<./.P.i.d.>.......

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF80.tmp.xml

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):4567
                      Entropy (8bit):4.460796257662251
                      Encrypted:false
                      SSDEEP:48:cvIwSD8zsdJgtWI9hdWSC8Bf8fm8M4JUjUjjFt+q8/eL6EKUTUed:uITf3qsSNGJUjMDkeG9UTUed
                      MD5:84EC38FA42AA82A272A948D87B5660C9
                      SHA1:179B1E14AE382682B1D19E2221D05A6AD7D59BA9
                      SHA-256:BCC3246440F255AE153315BBA2F3A959467086DB83E010553F3B728B7AF8EE08
                      SHA-512:073C9E13486A1E51CBE1B2770E72B2E07D70ABD0FD96FB4DA95FC29D4C433E5CF33854180ED827707B7259E16FC9DD7559E96E4EB046076C0118F541A1C292EF
                      Malicious:false
                      Reputation:low
                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1411543" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):7.915215782683756
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.96%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:hiYc6Vnppc.exe
                      File size:524288
                      MD5:0c84297632dffe68994d744487849fd5
                      SHA1:e91fc4c3a570950f7cebb691b75ba57990f0ee74
                      SHA256:6ccf16f1d1a495de9f5e7c1b60dd09da612ba2355887ebeb56cc1cacb5d64a5e
                      SHA512:4add0048a025a90bd8ffdc9fa0b1762062e0ea61bceefb365e7d0f9a9539174cf7fc432cef303c01d5c4777a9c4e60ff31381845848bea2ed535c19fbf74813f
                      SSDEEP:12288:dHDdD5BW/rGC9AqcrNNgqGK/lGRgOUqmq9kR6lhKXXCw0NWbWEyq7:dzU/rTAeqGK/cRgOnmq9g6qC/nq7
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.-...~...~...~.n.....~.n.. ..~.n.....~.r.....~.r.....~.n.....~...~...~.r.....~Yr.....~YrX~...~Yr.....~Rich...~...............

                      File Icon

                      Icon Hash:a259dbcda5e8da25

                      Static PE Info

                      General

                      Entrypoint:0x401000
                      Entrypoint Section:
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                      DLL Characteristics:TERMINAL_SERVER_AWARE, NX_COMPAT
                      Time Stamp:0x6207A556 [Sat Feb 12 12:17:26 2022 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:6
                      OS Version Minor:0
                      File Version Major:6
                      File Version Minor:0
                      Subsystem Version Major:6
                      Subsystem Version Minor:0
                      Import Hash:cd8b760cb83f38644768621cc3945d49

                      Entrypoint Preview

                      Instruction
                      push 00451001h
                      call 00007FBC44BE09B6h
                      ret
                      ret
                      sub byte ptr [EF21h], bl
                      scasb
                      minps xmm7, dqword ptr [edi-6Fh]
                      pop ebx
                      mov dl, 11h
                      mov eax, dword ptr [CCB3DF7Ah]
                      xlatb
                      out 1Ah, al
                      pop ds
                      mov ebp, ecx
                      push esi
                      in eax, dx
                      fsub st(6), st(0)
                      dec esi
                      test dword ptr [eax-5C54306Eh], C2E72840h
                      push esi
                      mov esi, 9E13ED28h

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x51c4c0xd8.data
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x1e0000x306fd.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x1abdc0x1c
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x100000

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      0x10000x140000xac00False1.00047692587data7.99567995228IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                      0x150000x70000x3600False1.00079571759data7.98696648963IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                      0x1c0000x20000xa00False1.004296875data7.92802135641IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                      .rsrc0x1e0000x310000x15a00False0.998780708092data7.99660500201IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                      0x4f0000x20000x0False0empty0.0IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                      .data0x510000x5c0000x5b600False0.967798820109data7.86896555158IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                      .adata0xad0000x10000x0False0empty0.0IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountry
                      RT_ICON0x51eb80x12428data
                      RT_RCDATA0x3056c0x1e000dataRussianRussia
                      RT_GROUP_ICON0x51ea40x14data
                      RT_MANIFEST0x51d240x17dXML 1.0 document textEnglishUnited States

                      Imports

                      DLLImport
                      kernel32.dllGetProcAddress, GetModuleHandleA, LoadLibraryA
                      user32.dllGetCursorPos
                      oleaut32.dllVariantChangeTypeEx
                      kernel32.dllRaiseException

                      Possible Origin

                      Language of compilation systemCountry where language is spokenMap
                      RussianRussia
                      EnglishUnited States

                      Network Behavior

                      No network behavior found

                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:12:32:00
                      Start date:03/03/2022
                      Path:C:\Users\user\Desktop\hiYc6Vnppc.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\hiYc6Vnppc.exe"
                      Imagebase:0x400000
                      File size:524288 bytes
                      MD5 hash:0C84297632DFFE68994D744487849FD5
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:Borland Delphi
                      Yara matches:
                      • Rule: JoeSecurity_Allcomeclipbanker, Description: Yara detected Allcome clipbanker, Source: 00000000.00000000.328776321.0000000000430000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Allcomeclipbanker, Description: Yara detected Allcome clipbanker, Source: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Allcomeclipbanker, Description: Yara detected Allcome clipbanker, Source: 00000000.00000000.332292030.0000000000430000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                      Reputation:low

                      General

                      Target ID:3
                      Start time:12:32:20
                      Start date:03/03/2022
                      Path:C:\Windows\SysWOW64\WerFault.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 412
                      Imagebase:0x1310000
                      File size:434592 bytes
                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:3.2%
                        Dynamic/Decrypted Code Coverage:20.8%
                        Signature Coverage:8.1%
                        Total number of Nodes:408
                        Total number of Limit Nodes:35
                        execution_graph 20907 2194cb8 20908 219115c 20907->20908 20909 2194cd9 RegOpenKeyExA 20908->20909 20910 2194d19 20909->20910 20911 2194cfb RegOpenKeyExA 20909->20911 20925 2194b10 lstrcpy lstrcpyn lstrcpyn lstrlen lstrcpy 20910->20925 20911->20910 20912 2194d8b lstrcpy 20911->20912 20917 2194da8 20912->20917 20914 2194d45 RegQueryValueExA 20915 2194d6d RegCloseKey 20914->20915 20916 2194d53 RegQueryValueExA 20914->20916 20916->20915 20918 2194e6c 20917->20918 20919 2194dcd lstrlen 20917->20919 20920 2194de5 20919->20920 20920->20918 20921 2194e22 20920->20921 20922 2194e06 lstrcpy LoadLibraryExA 20920->20922 20921->20918 20923 2194e2c lstrcpy LoadLibraryExA 20921->20923 20922->20921 20923->20918 20924 2194e4c lstrcpy LoadLibraryExA 20923->20924 20924->20918 20925->20914 20926 2191878 20927 219189e 20926->20927 20929 21918f7 20926->20929 20934 2191644 20927->20934 20932 21918bb 20932->20929 20939 219138c LocalAlloc 20932->20939 20935 219167b 20934->20935 20936 21916bb 20935->20936 20937 2191695 VirtualFree 20935->20937 20938 2191318 LocalAlloc 20936->20938 20937->20935 20938->20932 20939->20929 20940 21cc958 20942 21cc999 20940->20942 20941 21ccb4c 20942->20941 20945 21cbe50 20942->20945 20949 21cbfd0 20942->20949 20948 21cbe72 20945->20948 20946 21cbf38 20946->20942 20948->20946 20953 21c9a14 20948->20953 20950 21cc3a3 20949->20950 20951 21cbffc 20949->20951 20950->20942 20951->20950 20952 21c9a14 VirtualAlloc 20951->20952 20952->20950 20956 21bcc20 VirtualAlloc 20953->20956 20955 21c9a33 20955->20946 20956->20955 20957 219c2f0 20958 219c340 20957->20958 20959 219c30a 20957->20959 20961 219b03c 20959->20961 20962 219b044 20961->20962 20962->20962 20972 219af84 GetThreadLocale 20962->20972 20964 219b05f 20965 219b072 GetThreadLocale 20964->20965 20977 2199eb8 GetThreadLocale GetThreadLocale GetThreadLocale EnumCalendarInfoA 20964->20977 20967 219b08b 20965->20967 20978 2199f68 GetThreadLocale 20967->20978 20969 219b15d 20979 2199f68 GetThreadLocale 20969->20979 20971 219b18a 20971->20958 20973 219afb4 GetSystemMetrics GetSystemMetrics 20972->20973 20975 219aff2 GetCPInfo 20973->20975 20976 219affe 20973->20976 20975->20976 20976->20964 20977->20965 20978->20969 20979->20971 20980 21bcc40 VirtualFree 20981 402aed 20986 4031c0 SetUnhandledExceptionFilter 20981->20986 20983 402af2 std::_Xinvalid_argument 20987 407d2f 13 API calls __strnicoll 20983->20987 20985 402afd 20986->20983 20987->20985 20988 41023c 21006 40a9f5 20988->21006 20990 410249 20991 410271 20990->20991 20992 410255 20990->20992 20994 41028c 20991->20994 20995 41027f 20991->20995 21022 408dab 13 API calls __dosmaperr 20992->21022 20997 41029f 20994->20997 21024 4103f8 15 API calls ___scrt_uninitialize_crt 20994->21024 21023 408dab 13 API calls __dosmaperr 20995->21023 20998 41025a 20997->20998 21000 410301 20997->21000 21011 40aa5a 20997->21011 21025 41032c 40 API calls __vfwprintf_l 21000->21025 21003 41030f 21007 40aa01 21006->21007 21008 40aa16 21006->21008 21026 408dab 13 API calls __dosmaperr 21007->21026 21008->20990 21010 40aa06 __strnicoll 21010->20990 21012 40aa66 __vfwprintf_l 21011->21012 21013 40a9f5 __vfwprintf_l 13 API calls 21012->21013 21016 40aa87 21012->21016 21014 40aa81 21013->21014 21027 410488 13 API calls __strnicoll 21014->21027 21016->21000 21017 411f93 21016->21017 21028 408dbe 21017->21028 21021 411fba 21021->21000 21022->20998 21023->20998 21024->20997 21025->21003 21026->21010 21027->21016 21034 408dcb __dosmaperr 21028->21034 21029 408e0b 21037 408dab 13 API calls __dosmaperr 21029->21037 21030 408df6 RtlAllocateHeap 21032 408e09 21030->21032 21030->21034 21035 408e1b 13 API calls 2 library calls 21032->21035 21034->21029 21034->21030 21036 407d73 RtlEnterCriticalSection RtlLeaveCriticalSection _Allocate 21034->21036 21035->21021 21036->21034 21037->21032 21038 2191ee4 21040 2191ef4 21038->21040 21039 2191f20 21040->21039 21042 2191e58 21040->21042 21045 21916c4 21042->21045 21044 2191e68 21044->21040 21048 21916e0 21045->21048 21047 21916ea 21052 21915b0 21047->21052 21048->21047 21050 21916f6 21048->21050 21056 219141c 21048->21056 21064 2191318 LocalAlloc 21048->21064 21050->21044 21054 21915f6 21052->21054 21053 2191626 21053->21050 21054->21053 21055 2191612 VirtualAlloc 21054->21055 21055->21053 21055->21054 21057 219142b VirtualAlloc 21056->21057 21059 2191458 21057->21059 21060 219147b 21057->21060 21065 21912d0 LocalAlloc 21059->21065 21060->21048 21062 2191464 21062->21060 21063 2191468 VirtualFree 21062->21063 21063->21060 21064->21048 21065->21062 21066 4514ea 21067 4514f8 VirtualAlloc 21066->21067 21068 451630 21067->21068 21069 45152c VirtualAlloc 21068->21069 21070 451595 VirtualFree 21069->21070 21072 402aff 21073 402b0b __FrameHandler3::FrameUnwindToState 21072->21073 21099 402d3f 21073->21099 21075 402b12 21076 402c6b 21075->21076 21087 402b3c ___scrt_is_nonwritable_in_current_image __FrameHandler3::FrameUnwindToState ___scrt_release_startup_lock 21075->21087 21128 40305e SetUnhandledExceptionFilter UnhandledExceptionFilter std::_Xinvalid_argument 21076->21128 21078 402c72 21129 407bae 19 API calls __FrameHandler3::FrameUnwindToState 21078->21129 21080 402c78 21130 407b72 19 API calls __FrameHandler3::FrameUnwindToState 21080->21130 21082 402c80 ___security_init_cookie 21083 402c86 __scrt_common_main_seh 21082->21083 21084 402b5b 21085 402bdc 21108 407843 21085->21108 21087->21084 21087->21085 21124 407b88 25 API calls 3 library calls 21087->21124 21089 402be2 21112 401b30 6 API calls 21089->21112 21093 402c03 21093->21078 21094 402c07 21093->21094 21095 402c10 21094->21095 21126 407b63 19 API calls __FrameHandler3::FrameUnwindToState 21094->21126 21127 402eb0 49 API calls ___scrt_uninitialize_crt 21095->21127 21098 402c19 21098->21084 21100 402d48 21099->21100 21131 4041ee 9 API calls 2 library calls 21100->21131 21102 402d59 21107 402d5d 21102->21107 21132 40825a 21102->21132 21105 402d74 21105->21075 21107->21075 21109 40784c 21108->21109 21111 407851 21108->21111 21176 4075a7 21109->21176 21111->21089 21113 401ba9 21112->21113 21114 401bba ExitProcess 21112->21114 21464 401ae0 GetTickCount Sleep GetTickCount 21112->21464 21115 401bc7 ExitProcess 21113->21115 21116 401baf 21113->21116 21117 401bb5 21116->21117 21339 401080 GetCursorPos SendMessageA SendMessageA GetCursorPos 21116->21339 21125 40317e GetModuleHandleW 21117->21125 21120 401be9 LockResource 21123 401c0c 21120->21123 21121 401cc0 VirtualProtect LdrInitializeThunk 21121->21117 21123->21121 21389 402900 21123->21389 21124->21085 21125->21093 21126->21095 21127->21098 21128->21078 21129->21080 21130->21082 21131->21102 21136 40ce5e 21132->21136 21135 40420d 6 API calls 2 library calls 21135->21107 21137 40ce6e 21136->21137 21138 402d66 21136->21138 21137->21138 21140 4097e4 21137->21140 21138->21105 21138->21135 21141 4097f0 __FrameHandler3::FrameUnwindToState 21140->21141 21150 40c33d RtlEnterCriticalSection 21141->21150 21143 4097f7 21151 40c47d 21143->21151 21145 409806 21148 409810 21145->21148 21162 40967a 15 API calls 21145->21162 21163 40983b RtlLeaveCriticalSection __FrameHandler3::FrameUnwindToState 21148->21163 21149 409826 21149->21137 21150->21143 21152 40c489 __FrameHandler3::FrameUnwindToState 21151->21152 21153 40c492 21152->21153 21154 40c4b3 21152->21154 21172 408dab 13 API calls __dosmaperr 21153->21172 21164 40c33d RtlEnterCriticalSection 21154->21164 21157 40c497 __strnicoll 21157->21145 21158 40c4bf 21161 40c4eb 21158->21161 21165 40c3cd 21158->21165 21173 40c512 RtlLeaveCriticalSection __FrameHandler3::FrameUnwindToState 21161->21173 21162->21148 21163->21149 21164->21158 21166 408dbe __dosmaperr 13 API calls 21165->21166 21167 40c3df 21166->21167 21171 40c3ec 21167->21171 21174 4091c2 5 API calls __dosmaperr 21167->21174 21170 40c441 21170->21158 21175 408e1b 13 API calls 2 library calls 21171->21175 21172->21157 21173->21157 21174->21167 21175->21170 21177 4075b0 21176->21177 21181 4075c6 21176->21181 21177->21181 21182 4075d3 21177->21182 21179 4075bd 21179->21181 21195 407725 14 API calls 3 library calls 21179->21195 21181->21111 21183 4075dc 21182->21183 21184 4075df 21182->21184 21183->21179 21196 40ba68 21184->21196 21189 4075f1 21232 408e1b 13 API calls 2 library calls 21189->21232 21193 407620 21193->21179 21195->21181 21197 40ba71 21196->21197 21198 4075e6 21196->21198 21233 408b9d 21197->21233 21202 40bf10 GetEnvironmentStringsW 21198->21202 21203 40bf27 21202->21203 21213 40bf7d 21202->21213 21329 40be22 21203->21329 21204 40bf86 FreeEnvironmentStringsW 21205 4075eb 21204->21205 21205->21189 21214 407626 21205->21214 21207 40bf40 21208 409870 __strnicoll 14 API calls 21207->21208 21207->21213 21209 40bf50 21208->21209 21210 40bf68 21209->21210 21211 40be22 __vfwprintf_l WideCharToMultiByte 21209->21211 21332 408e1b 13 API calls 2 library calls 21210->21332 21211->21210 21213->21204 21213->21205 21215 40763b 21214->21215 21216 408dbe __dosmaperr 13 API calls 21215->21216 21220 407662 21216->21220 21218 4076c7 21337 408e1b 13 API calls 2 library calls 21218->21337 21219 4075fc 21231 408e1b 13 API calls 2 library calls 21219->21231 21220->21218 21221 408dbe __dosmaperr 13 API calls 21220->21221 21222 4076c9 21220->21222 21227 4076e9 21220->21227 21333 408352 13 API calls __strnicoll 21220->21333 21334 408e1b 13 API calls 2 library calls 21220->21334 21221->21220 21335 4076f6 13 API calls _free 21222->21335 21225 4076cf 21336 408e1b 13 API calls 2 library calls 21225->21336 21338 405a1a SetUnhandledExceptionFilter UnhandledExceptionFilter SetUnhandledExceptionFilter UnhandledExceptionFilter __FrameHandler3::FrameUnwindToState 21227->21338 21230 4076f5 21231->21189 21232->21193 21234 408ba8 21233->21234 21237 408bae 21233->21237 21277 409141 5 API calls __dosmaperr 21234->21277 21238 408bb4 21237->21238 21278 409180 5 API calls __dosmaperr 21237->21278 21246 408c2d 21238->21246 21285 4083ac 25 API calls __FrameHandler3::FrameUnwindToState 21238->21285 21239 408bc8 21239->21238 21240 408dbe __dosmaperr 13 API calls 21239->21240 21242 408bd8 21240->21242 21244 408be0 21242->21244 21245 408bf5 21242->21245 21279 409180 5 API calls __dosmaperr 21244->21279 21281 409180 5 API calls __dosmaperr 21245->21281 21258 40b8b4 21246->21258 21249 408c01 21251 408c14 21249->21251 21252 408c05 21249->21252 21250 408bec 21280 408e1b 13 API calls 2 library calls 21250->21280 21283 40890e 13 API calls __dosmaperr 21251->21283 21282 409180 5 API calls __dosmaperr 21252->21282 21256 408c1f 21284 408e1b 13 API calls 2 library calls 21256->21284 21286 40b9c8 21258->21286 21262 40b8e0 21262->21198 21266 40b923 21309 408e1b 13 API calls 2 library calls 21266->21309 21268 40b916 21270 40b91e 21268->21270 21274 40b939 21268->21274 21308 408dab 13 API calls __dosmaperr 21270->21308 21271 40b931 21271->21198 21273 40b965 21273->21266 21311 40b550 13 API calls __FrameHandler3::FrameUnwindToState 21273->21311 21274->21273 21310 408e1b 13 API calls 2 library calls 21274->21310 21277->21237 21278->21239 21279->21250 21280->21238 21281->21249 21282->21250 21283->21256 21284->21238 21287 40b9d4 __FrameHandler3::FrameUnwindToState 21286->21287 21293 40b9ee 21287->21293 21312 40c33d RtlEnterCriticalSection 21287->21312 21289 40b9fe 21296 40ba2a 21289->21296 21313 408e1b 13 API calls 2 library calls 21289->21313 21292 40b8c7 21297 40b65e 21292->21297 21293->21292 21315 4083ac 25 API calls __FrameHandler3::FrameUnwindToState 21293->21315 21314 40ba47 RtlLeaveCriticalSection __FrameHandler3::FrameUnwindToState 21296->21314 21316 405f93 21297->21316 21300 409870 21301 4098ae 21300->21301 21305 40987e __dosmaperr 21300->21305 21328 408dab 13 API calls __dosmaperr 21301->21328 21303 409899 RtlAllocateHeap 21304 4098ac 21303->21304 21303->21305 21304->21266 21307 40bac3 30 API calls 2 library calls 21304->21307 21305->21301 21305->21303 21327 407d73 RtlEnterCriticalSection RtlLeaveCriticalSection _Allocate 21305->21327 21307->21268 21308->21266 21309->21271 21310->21273 21311->21266 21312->21289 21313->21296 21314->21293 21317 405fb3 21316->21317 21323 405faa 21316->21323 21317->21323 21324 408ae0 25 API calls 3 library calls 21317->21324 21319 405fd3 21325 409e8c 25 API calls __fassign 21319->21325 21321 405fe9 21326 409eb9 25 API calls __fassign 21321->21326 21323->21262 21323->21300 21324->21319 21325->21321 21326->21323 21327->21305 21328->21304 21331 40be39 WideCharToMultiByte 21329->21331 21331->21207 21332->21213 21333->21220 21334->21220 21335->21225 21336->21218 21337->21219 21338->21230 21340 4010e4 21339->21340 21341 4010df 21339->21341 21343 401122 SendMessageA SendMessageA GetCursorPos SendMessageA 21340->21343 21344 4010ea GetCursorPos GetCursorPos SendMessageA 21340->21344 21342 40117e GetCursorPos GetCursorPos GetCursorPos SendMessageA 21341->21342 21345 4011c8 21342->21345 21346 4011cd 21342->21346 21343->21342 21344->21342 21347 401261 SendMessageA SendMessageA GetCursorPos SendMessageA 21345->21347 21348 4011d3 GetCursorPos GetCursorPos GetCursorPos 21346->21348 21349 401205 SendMessageA GetCursorPos GetCursorPos SendMessageA 21346->21349 21350 4012c9 21347->21350 21351 4012ce 21347->21351 21348->21347 21349->21347 21352 40137d GetCursorPos SendMessageA GetCursorPos GetCursorPos 21350->21352 21353 4012d4 SendMessageA SendMessageA SendMessageA 21351->21353 21354 40132d GetCursorPos GetCursorPos SendMessageA GetCursorPos 21351->21354 21355 4013d1 21352->21355 21356 4013d6 21352->21356 21353->21352 21354->21352 21357 40147e SendMessageA GetCursorPos GetCursorPos GetCursorPos 21355->21357 21358 4013e1 SendMessageA GetCursorPos SendMessageA 21356->21358 21359 40142e GetCursorPos GetCursorPos GetCursorPos SendMessageA 21356->21359 21360 4014d1 21357->21360 21361 4014d6 21357->21361 21358->21357 21359->21357 21362 40157c SendMessageA SendMessageA SendMessageA GetCursorPos 21360->21362 21363 401538 GetCursorPos GetCursorPos GetCursorPos GetCursorPos 21361->21363 21364 4014df SendMessageA SendMessageA SendMessageA 21361->21364 21365 4015e4 21362->21365 21366 4015e9 21362->21366 21363->21362 21364->21362 21367 40168c GetCursorPos GetCursorPos SendMessageA SendMessageA 21365->21367 21368 401630 SendMessageA GetCursorPos SendMessageA GetCursorPos 21366->21368 21369 4015ef GetCursorPos SendMessageA GetCursorPos 21366->21369 21370 4016e8 21367->21370 21371 4016ed 21367->21371 21368->21367 21369->21367 21372 40179c SendMessageA SendMessageA GetCursorPos SendMessageA 21370->21372 21373 4016f3 SendMessageA GetCursorPos GetCursorPos 21371->21373 21374 401734 GetCursorPos SendMessageA SendMessageA SendMessageA 21371->21374 21375 401811 21372->21375 21376 40180c 21372->21376 21373->21372 21374->21372 21378 40181e SendMessageA GetCursorPos GetCursorPos 21375->21378 21379 40185f SendMessageA SendMessageA GetCursorPos SendMessageA 21375->21379 21377 4018c7 SendMessageA SendMessageA GetCursorPos GetCursorPos 21376->21377 21380 401926 21377->21380 21381 40192b 21377->21381 21378->21377 21379->21377 21382 4019dd GetCursorPos GetCursorPos GetCursorPos GetCursorPos 21380->21382 21383 401981 GetCursorPos SendMessageA GetCursorPos SendMessageA 21381->21383 21384 401934 SendMessageA SendMessageA GetCursorPos 21381->21384 21385 401a2a 21382->21385 21386 401a2f 21382->21386 21383->21382 21384->21382 21385->21117 21385->21120 21387 401a3e GetCursorPos GetCursorPos SendMessageA 21386->21387 21388 401a7f GetCursorPos SendMessageA SendMessageA GetCursorPos 21386->21388 21387->21385 21388->21385 21390 40291d __vfwprintf_l 21389->21390 21393 4028d0 21390->21393 21394 4028e8 __vfwprintf_l 21393->21394 21397 407026 21394->21397 21396 4028f4 21396->21123 21398 407056 21397->21398 21399 40706b 21397->21399 21413 408dab 13 API calls __dosmaperr 21398->21413 21399->21398 21400 40706f 21399->21400 21405 405c97 21400->21405 21403 40705b __strnicoll 21403->21396 21406 405ca3 __FrameHandler3::FrameUnwindToState 21405->21406 21414 405c6f RtlEnterCriticalSection 21406->21414 21408 405cb1 21415 406054 21408->21415 21412 405ccf 21412->21396 21413->21403 21414->21408 21429 40aa95 14 API calls 3 library calls 21415->21429 21417 406077 21418 405f93 __fassign 25 API calls 21417->21418 21419 40608e __vfwprintf_l 21418->21419 21430 4062b9 21419->21430 21421 4060d2 21441 406016 13 API calls _free 21421->21441 21423 4060df 21442 40ab41 40 API calls __vfwprintf_l 21423->21442 21425 406101 21443 402f1a SetUnhandledExceptionFilter UnhandledExceptionFilter _ValidateLocalCookies 21425->21443 21427 405cbe 21428 405ce6 RtlLeaveCriticalSection __vfwprintf_l 21427->21428 21428->21412 21429->21417 21444 406db7 13 API calls 2 library calls 21430->21444 21432 4062de __strnicoll 21432->21421 21433 4062d9 21451 408dab 13 API calls __dosmaperr 21433->21451 21435 4062ca __vfwprintf_l 21435->21432 21435->21433 21445 40640a 21435->21445 21452 406876 28 API calls __vfwprintf_l 21435->21452 21453 4064d0 28 API calls __vfwprintf_l 21435->21453 21454 4064f6 30 API calls 2 library calls 21435->21454 21455 406644 30 API calls __vfwprintf_l 21435->21455 21441->21423 21442->21425 21443->21427 21444->21435 21456 406429 21445->21456 21447 40640f 21448 406426 21447->21448 21459 408dab 13 API calls __dosmaperr 21447->21459 21448->21435 21450 406418 __strnicoll 21450->21435 21451->21432 21452->21435 21453->21435 21454->21435 21455->21435 21460 406463 21456->21460 21458 406439 __vfwprintf_l 21458->21447 21459->21450 21461 406485 __fassign __vfwprintf_l 21460->21461 21462 408dab __strnicoll 13 API calls 21461->21462 21463 4064ba __strnicoll 21461->21463 21462->21463 21463->21458 21465 401b10 ExitProcess 21464->21465 21466 401b2c 21464->21466

                        Executed Functions

                        Function 02194CB8 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 151registrystringlibraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F003F,?,00000000,?,00000105), ref: 02194CF2
                        • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F003F,?,80000001,Software\Borland\Locales,00000000,000F003F,?,00000000,?,00000105), ref: 02194D10
                        • RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000005,00000000,02194D84,?,80000001,Software\Borland\Locales,00000000,000F003F,?,00000000,?), ref: 02194D4A
                        • RegQueryValueExA.ADVAPI32(?,02194EB0,00000000,00000000,00000000,00000005,?,00000000,00000000,00000000,00000000,00000005,00000000,02194D84,?,80000001), ref: 02194D68
                        • RegCloseKey.ADVAPI32(?,02194D8B,00000000,00000000,00000005,00000000,02194D84,?,80000001,Software\Borland\Locales,00000000,000F003F,?,00000000,?,00000105), ref: 02194D7E
                        • lstrcpy.KERNEL32(?,?), ref: 02194D96
                        • lstrlen.KERNEL32(00000000), ref: 02194DD4
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 02194E0B
                        • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000), ref: 02194E1B
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 02194E31
                        • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 02194E41
                        • lstrcpy.KERNEL32(00000000,00000000), ref: 02194E55
                        • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 02194E65
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.363499699.0000000002191000.00000040.00000800.00020000.00000000.sdmp, Offset: 02191000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2191000_hiYc6Vnppc.jbxd
                        Similarity
                        • API ID: lstrcpy$LibraryLoad$OpenQueryValue$Closelstrlen
                        • String ID: .$Software\Borland\Delphi\Locales$Software\Borland\Locales
                        • API String ID: 3871718695-3917250287
                        • Opcode ID: b5bb4a803b0445ee92669e5281789f3e0ee9a2022c59cacf1ea15ad7ed52a6da
                        • Instruction ID: 19aece7c94cba7b8889da7e7fdcd5489208409992e9017ff8925de1bd6a142bb
                        • Opcode Fuzzy Hash: b5bb4a803b0445ee92669e5281789f3e0ee9a2022c59cacf1ea15ad7ed52a6da
                        • Instruction Fuzzy Hash: 6A416E75E8021D7EFF22D6F49C46FEF77AD9B04744F4000A1AA08E6181D7789A85CFA5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00401B30 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 126sleepthreadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • CreateThread.KERNELBASE(00000000,00000000,Function_00001AE0,00000000,00000000,00000000), ref: 00401B46
                        • Sleep.KERNELBASE(00000FA0), ref: 00401B51
                        • GetSystemInfo.KERNELBASE(0041D198), ref: 00401B63
                        • FindResourceA.KERNEL32(00000000,00000065,0000000A), ref: 00401B6F
                        • LoadResource.KERNEL32(00000000,?), ref: 00401B85
                        • SizeofResource.KERNEL32(00000000,?), ref: 00401B94
                        • ExitProcess.KERNEL32 ref: 00401BBC
                        • ExitProcess.KERNEL32 ref: 00401BC9
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: Resource$ExitProcess$CreateFindInfoLoadSizeofSleepSystemThread
                        • String ID: A$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe$gred %s
                        • API String ID: 374464391-639581637
                        • Opcode ID: 238b36dc926b0db8b205286b5ef8017c50b81e76edf80d0fcf8145aa5cce9492
                        • Instruction ID: 3c426bcc0a89f84b366c5dccdccd7126fc17696bba57f502a9d2f047407ce515
                        • Opcode Fuzzy Hash: 238b36dc926b0db8b205286b5ef8017c50b81e76edf80d0fcf8145aa5cce9492
                        • Instruction Fuzzy Hash: 3C415DB4E44204EFE704DFD4DD8ABEDBBB1FB48705F10806AEA05662E0D7B85A408B59
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00401AE0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 52 401ae0-401b0e GetTickCount Sleep GetTickCount 53 401b10-401b26 ExitProcess 52->53 54 401b2c-401b2f 52->54
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: CountTick$ExitProcessSleep
                        • String ID: Error$Virtual machine has been detected!
                        • API String ID: 1298644884-318677080
                        • Opcode ID: 94d7aa7a4fbc4389129c70ee98bb63dc58e8a5bccd12a9bf9e5f05f99f45ff4c
                        • Instruction ID: e48999178f891ef6c3da06b13ebf7ffed402eeb26958ceb21e4f816962d81e4b
                        • Opcode Fuzzy Hash: 94d7aa7a4fbc4389129c70ee98bb63dc58e8a5bccd12a9bf9e5f05f99f45ff4c
                        • Instruction Fuzzy Hash: FCE06534A90604FFE711BFE4DD49BDC7F74EB45702F508162E805E11D0D7745540866A
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004031C0 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                        Download Yara Rule
                        APIs
                        • SetUnhandledExceptionFilter.KERNELBASE(Function_000031CC,00402AF2), ref: 004031C5
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExceptionFilterUnhandled
                        • String ID:
                        • API String ID: 3192549508-0
                        • Opcode ID: f153aa39ca29a3ae629e15343f1eeea833f1a4a85a9f089f21b7ef5954a697de
                        • Instruction ID: caa87f2511bcd723d41eba5315e80d492d59ea616669c5976221f7c40eb68032
                        • Opcode Fuzzy Hash: f153aa39ca29a3ae629e15343f1eeea833f1a4a85a9f089f21b7ef5954a697de
                        • Instruction Fuzzy Hash:
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 021975C8 Relevance: .0, Instructions: 37COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.363499699.0000000002191000.00000040.00000800.00020000.00000000.sdmp, Offset: 02191000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2191000_hiYc6Vnppc.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: efb704f52671acc6e982d702847758b04619514dd0d8b90d11aa4d5c5ab53057
                        • Instruction ID: daedfca4df7a171acc4462f68c7c3a7e5eea08526ac767c09285fddc238292c0
                        • Opcode Fuzzy Hash: efb704f52671acc6e982d702847758b04619514dd0d8b90d11aa4d5c5ab53057
                        • Instruction Fuzzy Hash: BFF018B1D4124CAADF50E7E88CC4ECFB3AC5F05314F540691A529D3191EB3497054BA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0219AF84 Relevance: 6.1, APIs: 4, Instructions: 64threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 56 219af84-219afb2 GetThreadLocale 57 219afb4 56->57 58 219afb6-219afb9 56->58 57->58 59 219afbb-219afcc 58->59 60 219afd0-219aff0 GetSystemMetrics * 2 58->60 59->60 61 219b032-219b039 60->61 62 219aff2-219affc GetCPInfo 60->62 63 219b023-219b026 62->63 63->61 64 219b028-219b030 63->64 64->61 65 219affe-219b008 64->65 66 219b00a-219b00b 65->66 67 219b020 65->67 68 219b00e-219b01e 66->68 67->63 68->67 68->68
                        APIs
                        • GetThreadLocale.KERNEL32 ref: 0219AFAB
                        • GetSystemMetrics.USER32(0000004A), ref: 0219AFD2
                        • GetSystemMetrics.USER32(0000002A), ref: 0219AFE1
                        • GetCPInfo.KERNEL32(00000000,?,0000002A,0000004A), ref: 0219AFF5
                        Memory Dump Source
                        • Source File: 00000000.00000002.363499699.0000000002191000.00000040.00000800.00020000.00000000.sdmp, Offset: 02191000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2191000_hiYc6Vnppc.jbxd
                        Similarity
                        • API ID: MetricsSystem$InfoLocaleThread
                        • String ID:
                        • API String ID: 1011932403-0
                        • Opcode ID: 8eeb64042f016418861c01c67c88ae64f0a50439164fdde494d9561c3043d447
                        • Instruction ID: a82b64a614ed3f6f98c62aafe0b7efe9c2039d8ed7c010f40c5a58e9028e5a30
                        • Opcode Fuzzy Hash: 8eeb64042f016418861c01c67c88ae64f0a50439164fdde494d9561c3043d447
                        • Instruction Fuzzy Hash: 121157226C97C58DCF20BBB0A8003FABBA99F52218F0D8428D8E947242E721D505D762
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0040B8B4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 69 40b8b4-40b8de call 40b9c8 call 40b65e 74 40b8e0-40b8e3 69->74 75 40b8e4-40b8ec call 409870 69->75 77 40b8f1-40b8f9 75->77 78 40b929 77->78 79 40b8fb-40b91c call 40bac3 77->79 81 40b92b-40b938 call 408e1b 78->81 84 40b939-40b93d 79->84 85 40b91e-40b923 call 408dab 79->85 88 40b944-40b94f 84->88 89 40b93f call 407c94 84->89 85->78 92 40b951-40b95b 88->92 93 40b966-40b984 88->93 89->88 92->93 94 40b95d-40b965 call 408e1b 92->94 93->81 95 40b986-40b9b3 call 40b550 93->95 94->93 95->81 100 40b9b9-40b9c3 95->100 100->81
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free
                        • String ID: =q
                        • API String ID: 269201875-2849742216
                        • Opcode ID: 1fab7f3a6fec1fa9118639325d4d9e38d24c0ec74cbd72a1d2d2caa75d03a4f9
                        • Instruction ID: 6738cb0e1d088b0cb2dbbc45a0c49451c6b12779a5b2a60d8be934d07b1d6b3b
                        • Opcode Fuzzy Hash: 1fab7f3a6fec1fa9118639325d4d9e38d24c0ec74cbd72a1d2d2caa75d03a4f9
                        • Instruction Fuzzy Hash: 313190B1900209AFCB11EF69D880ADB77B4EF44314F14447BF511A72E1EB359D11CB98
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00407626 Relevance: 4.6, APIs: 3, Instructions: 102COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 101 407626-407639 102 407653-407655 101->102 103 407657-407668 call 408dbe 102->103 104 40763b-40763d 102->104 111 4076d8 103->111 112 40766a-40766d 103->112 105 407640-407642 104->105 106 40763f 104->106 108 407645-40764a 105->108 106->105 108->108 110 40764c-407651 108->110 110->102 114 4076da-4076e8 call 408e1b 111->114 113 4076c1-4076c5 112->113 116 4076c7 113->116 117 40766f-407671 113->117 116->114 118 407674-407679 117->118 118->118 120 40767b-407686 118->120 121 407688-40768b call 408dbe 120->121 122 4076bf 120->122 124 407690-407696 121->124 122->113 125 407698-4076a7 call 408352 124->125 126 4076c9-4076d7 call 4076f6 call 408e1b 124->126 132 4076e9-4076f5 call 405a8c 125->132 133 4076a9-4076be call 408e1b 125->133 126->111 133->122
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free
                        • String ID:
                        • API String ID: 269201875-0
                        • Opcode ID: 2ca95a611534c85a0761a32a6e5a1ecd73ce11374cbcd3ed30b0fbb1305e4377
                        • Instruction ID: a59ccf1c7cec1f1e3576e26af9464927681fc216644ccfa843392a6d0edb236f
                        • Opcode Fuzzy Hash: 2ca95a611534c85a0761a32a6e5a1ecd73ce11374cbcd3ed30b0fbb1305e4377
                        • Instruction Fuzzy Hash: 4E21373690C6005ADF149E6D9841BFB7B55CF82334F24057FE886BB3C1D93B6D02829A
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0040BF10 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 139 40bf10-40bf25 GetEnvironmentStringsW 140 40bf80 139->140 141 40bf27-40bf48 call 40bed9 call 40be22 139->141 142 40bf82-40bf84 140->142 141->140 149 40bf4a-40bf4b call 409870 141->149 144 40bf86-40bf87 FreeEnvironmentStringsW 142->144 145 40bf8d-40bf93 142->145 144->145 151 40bf50-40bf55 149->151 152 40bf75 151->152 153 40bf57-40bf6d call 40be22 151->153 155 40bf77-40bf7e call 408e1b 152->155 153->152 158 40bf6f-40bf73 153->158 155->142 158->155
                        APIs
                        • GetEnvironmentStringsW.KERNEL32 ref: 0040BF19
                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0040BF87
                          • Part of subcall function 0040BE22: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,00410D20,?,00000000,00000000), ref: 0040BECE
                          • Part of subcall function 00409870: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 004098A2
                        • _free.LIBCMT ref: 0040BF78
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: EnvironmentStrings$AllocateByteCharFreeHeapMultiWide_free
                        • String ID:
                        • API String ID: 2560199156-0
                        • Opcode ID: 57ddae6f788429a58357c33df5addce2e2a19eb5f71adcea41f02254c7720639
                        • Instruction ID: 7b08b985ce3283757e291cfeb7caa3aa2c0d3e7525d9026c7d70d7794454af9d
                        • Opcode Fuzzy Hash: 57ddae6f788429a58357c33df5addce2e2a19eb5f71adcea41f02254c7720639
                        • Instruction Fuzzy Hash: 7501D872A056167BE72116B74C89CBB696CCDC6BA4315013EBD00E3281EF78CD0185FC
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0045145C Relevance: 3.9, APIs: 3, Instructions: 116memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 160 45145c-451471 161 451473-4514b4 call 451771 160->161 162 4514cc 160->162 163 4514d1-4514db 161->163 162->163 164 4514cc call 45176d 162->164 166 4514dd-4514e6 163->166 167 4514f8-451590 VirtualAlloc call 451630 VirtualAlloc 163->167 164->163 166->167 173 451595-45159b 167->173 174 45159d-4515a3 173->174 175 4515bb-451627 VirtualFree 173->175 176 4515a5-4515b4 174->176 177 4515b6-4515b9 174->177 176->177 177->173
                        APIs
                        • VirtualAlloc.KERNELBASE(00000000,00060000,00001000,00000040), ref: 0045150D
                        • VirtualAlloc.KERNELBASE(00000000,00060000,00001000,00000040), ref: 0045153B
                        • VirtualFree.KERNELBASE(00640000,00000000,00008000,?,02190000,00000001,00000000,00000000,00451869), ref: 0045161C
                        Memory Dump Source
                        • Source File: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: Virtual$Alloc$Free
                        • String ID:
                        • API String ID: 3668210933-0
                        • Opcode ID: b9263a3ea97515307f9a6e52b5386bd9baeb3277eab9d3304407ca47a679fcc5
                        • Instruction ID: 1ebe51e50d1f1ebfb3bdc33b77c5478414fd2efbacd455dcae5c5c58ca2e9bd2
                        • Opcode Fuzzy Hash: b9263a3ea97515307f9a6e52b5386bd9baeb3277eab9d3304407ca47a679fcc5
                        • Instruction Fuzzy Hash: DE4136B5A402899FDB71CF18CC81BD977E4FB49700F048126EE099F392D274AA45CB58
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004075D3 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 178 4075d3-4075da 179 4075dc-4075de 178->179 180 4075df-4075ef call 40ba68 call 40bf10 178->180 185 4075f1-4075f4 180->185 186 4075f6-4075f7 call 407626 180->186 187 40761a-407625 call 408e1b 185->187 190 4075fc-4075ff 186->190 192 407601-407604 190->192 193 407606-40760d 190->193 194 407612-407619 call 408e1b 192->194 193->194 194->187
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free
                        • String ID:
                        • API String ID: 269201875-0
                        • Opcode ID: ac80dc4a250b6ed9d5a5aba3b151104855fbac6e09490768fd3c6f9c33a58d6e
                        • Instruction ID: 6eee036400eb921e0b5e3bb71656fee3878ea8893a895daa09a45989a53471d3
                        • Opcode Fuzzy Hash: ac80dc4a250b6ed9d5a5aba3b151104855fbac6e09490768fd3c6f9c33a58d6e
                        • Instruction Fuzzy Hash: B2E0A972E0A92111D222263EAC056AB1544EBC1339F114B3FF431E72E0DFBC590255DF
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0045144F Relevance: 2.6, APIs: 2, Instructions: 82memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 197 45144f-451471 198 451473-4514b4 call 451771 197->198 199 4514cc 197->199 200 4514d1-4514db 198->200 199->200 201 4514cc call 45176d 199->201 203 4514dd-4514e6 200->203 204 4514f8-451590 VirtualAlloc call 451630 VirtualAlloc 200->204 201->200 203->204 210 451595-45159b 204->210 211 45159d-4515a3 210->211 212 4515bb-451627 VirtualFree 210->212 213 4515a5-4515b4 211->213 214 4515b6-4515b9 211->214 213->214 214->210
                        APIs
                        • VirtualAlloc.KERNELBASE(00000000,00060000,00001000,00000040), ref: 0045150D
                        • VirtualAlloc.KERNELBASE(00000000,00060000,00001000,00000040), ref: 0045153B
                        • VirtualFree.KERNELBASE(00640000,00000000,00008000,?,02190000,00000001,00000000,00000000,00451869), ref: 0045161C
                        Memory Dump Source
                        • Source File: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: Virtual$Alloc$Free
                        • String ID:
                        • API String ID: 3668210933-0
                        • Opcode ID: bebaf7b250cdae4cd25bb78736d135890c3776ddd88833bc03eaad82a00b5c3a
                        • Instruction ID: 9ad3af553773c2db6a171916ee54ba9fccedbeaf49f19f1e433f705b6bf3e66e
                        • Opcode Fuzzy Hash: bebaf7b250cdae4cd25bb78736d135890c3776ddd88833bc03eaad82a00b5c3a
                        • Instruction Fuzzy Hash: 703158B5A04289DFDB71CF28CC81BD97BA4FB09701F044166EE0ADF352D234AA85CB59
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0045148F Relevance: 2.6, APIs: 2, Instructions: 67memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 215 45148f-4514db call 451787 221 4514dd-4514e6 215->221 222 4514f8-451590 VirtualAlloc call 451630 VirtualAlloc 215->222 221->222 225 451595-45159b 222->225 226 45159d-4515a3 225->226 227 4515bb-451627 VirtualFree 225->227 228 4515a5-4515b4 226->228 229 4515b6-4515b9 226->229 228->229 229->225
                        APIs
                        • VirtualAlloc.KERNELBASE(00000000,00060000,00001000,00000040), ref: 0045150D
                        • VirtualAlloc.KERNELBASE(00000000,00060000,00001000,00000040), ref: 0045153B
                        • VirtualFree.KERNELBASE(00640000,00000000,00008000,?,02190000,00000001,00000000,00000000,00451869), ref: 0045161C
                        Memory Dump Source
                        • Source File: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: Virtual$Alloc$Free
                        • String ID:
                        • API String ID: 3668210933-0
                        • Opcode ID: 84da2c4fe391c618f00e249224eec55e1e1a2223947fd682f33e01f4b94cb8f3
                        • Instruction ID: f1adc86ba098958f003e24b781357a84f0a54895facb5aec4a8593971d9eb7fc
                        • Opcode Fuzzy Hash: 84da2c4fe391c618f00e249224eec55e1e1a2223947fd682f33e01f4b94cb8f3
                        • Instruction Fuzzy Hash: 062126B594028ADFDB75CF18CC81BD977A0FB49301F044126EE0EAF352D634AA85CB99
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004514EA Relevance: 2.6, APIs: 2, Instructions: 53memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 230 4514ea-451590 VirtualAlloc call 451630 VirtualAlloc 234 451595-45159b 230->234 235 45159d-4515a3 234->235 236 4515bb-451627 VirtualFree 234->236 237 4515a5-4515b4 235->237 238 4515b6-4515b9 235->238 237->238 238->234
                        APIs
                        • VirtualAlloc.KERNELBASE(00000000,00060000,00001000,00000040), ref: 0045150D
                        • VirtualAlloc.KERNELBASE(00000000,00060000,00001000,00000040), ref: 0045153B
                        • VirtualFree.KERNELBASE(00640000,00000000,00008000,?,02190000,00000001,00000000,00000000,00451869), ref: 0045161C
                        Memory Dump Source
                        • Source File: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: Virtual$Alloc$Free
                        • String ID:
                        • API String ID: 3668210933-0
                        • Opcode ID: a9f29b2fd031eb0dbf69e84aa5bab7cde95b7eafe921fed151961b058d97720b
                        • Instruction ID: 5993ef0d9e1548ac2d8282d9b5720bf0468db73f8fda7de7216d4a6a89500f2e
                        • Opcode Fuzzy Hash: a9f29b2fd031eb0dbf69e84aa5bab7cde95b7eafe921fed151961b058d97720b
                        • Instruction Fuzzy Hash: 2A211AB5A402899FDB75CF18CC81BD97BA0FB0C301F044156EE4DAF382D274AA81CB99
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0219141C Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 249 219141c-2191429 250 219142b-2191430 249->250 251 2191432-2191438 249->251 252 219143e-2191456 VirtualAlloc 250->252 251->252 253 2191458-2191466 call 21912d0 252->253 254 219147b-219147e 252->254 253->254 257 2191468-2191479 VirtualFree 253->257 257->254
                        APIs
                        • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000001,?,?,?,02191725), ref: 0219144B
                        • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,02191725), ref: 02191472
                        Memory Dump Source
                        • Source File: 00000000.00000002.363499699.0000000002191000.00000040.00000800.00020000.00000000.sdmp, Offset: 02191000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2191000_hiYc6Vnppc.jbxd
                        Similarity
                        • API ID: Virtual$AllocFree
                        • String ID:
                        • API String ID: 2087232378-0
                        • Opcode ID: 5b4e12ce82a76dfc66d9901f6b05c53c30602be81a9ef16b148d556142dd2036
                        • Instruction ID: fd0db6a6164032c8224e15e57c65cea3659e75d0d3beb1bdcfffbac2ac05dffc
                        • Opcode Fuzzy Hash: 5b4e12ce82a76dfc66d9901f6b05c53c30602be81a9ef16b148d556142dd2036
                        • Instruction Fuzzy Hash: 2BF02772BC06213BDF20AA694DC0B5265959F8ABD0F150070FA4CFF3C8D3614C828AA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0040C3CD Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 258 40c3cd-40c3da call 408dbe 260 40c3df-40c3ea 258->260 261 40c3f0-40c3f8 260->261 262 40c3ec-40c3ee 260->262 263 40c43b-40c447 call 408e1b 261->263 264 40c3fa-40c3fe 261->264 262->263 265 40c400-40c435 call 4091c2 264->265 270 40c437-40c43a 265->270 270->263
                        APIs
                          • Part of subcall function 00408DBE: RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 00408DFF
                        • _free.LIBCMT ref: 0040C43C
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateHeap_free
                        • String ID:
                        • API String ID: 614378929-0
                        • Opcode ID: 7cdb1adbac90d47b2a0f731c9530347fa274a67fae20e76af33faa291fd62161
                        • Instruction ID: a9c062645c249a793ec015192c9dea85c4d66c4428afa4f7f731a7b1dd4b4762
                        • Opcode Fuzzy Hash: 7cdb1adbac90d47b2a0f731c9530347fa274a67fae20e76af33faa291fd62161
                        • Instruction Fuzzy Hash: 6D0126B2600316ABC3208F69C881A9AFB98FB443B0F14473EE555B76C0D774AC1187E8
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00408DBE Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 00408DFF
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateHeap
                        • String ID:
                        • API String ID: 1279760036-0
                        • Opcode ID: 1316ec912249c896431ab4b8c603abbed80ac0edd6ca2d1a4da4625dbdaf6fbd
                        • Instruction ID: 2b7acc13a5487b1c421e5c08bb205c8e5bc938bbb60da56e08cea36ded211d7c
                        • Opcode Fuzzy Hash: 1316ec912249c896431ab4b8c603abbed80ac0edd6ca2d1a4da4625dbdaf6fbd
                        • Instruction Fuzzy Hash: FFF0243150462067DB315B229E00BAB3748AFE2370B14853FA884F66C1CE38E80296ED
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00411F93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00408DBE: RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 00408DFF
                        • _free.LIBCMT ref: 00411FB5
                          • Part of subcall function 00408E1B: HeapFree.KERNEL32(00000000,00000000,?,0040C803,?,00000000,?,?,?,0040C82A,?,00000007,?,?,0040CC50,?), ref: 00408E31
                          • Part of subcall function 00408E1B: GetLastError.KERNEL32(?,?,0040C803,?,00000000,?,?,?,0040C82A,?,00000007,?,?,0040CC50,?,?), ref: 00408E43
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateErrorFreeLast_free
                        • String ID:
                        • API String ID: 314386986-0
                        • Opcode ID: 3b3f8ba533214d9cc1e478e6ea1d4c4a9f9e8982e364af526da1030537af5488
                        • Instruction ID: 6d78d8f7c2ef938a304f1081cfc6fcf51d8826d4d53437afd31c52bc69e58626
                        • Opcode Fuzzy Hash: 3b3f8ba533214d9cc1e478e6ea1d4c4a9f9e8982e364af526da1030537af5488
                        • Instruction Fuzzy Hash: 43F062725007049FD3259F45D901B92B7E9EF80B15F10843FE69A9B6E1D7B8A486CB88
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00409870 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 004098A2
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateHeap
                        • String ID:
                        • API String ID: 1279760036-0
                        • Opcode ID: 7197c73b67966d2c05e0f155165b38c2724e0a0689cce004df1f3a6dbf461eb2
                        • Instruction ID: 870dfbd59bfd8ccdfc04b447516768083a8d4e9db1f4497add884e9ac293723e
                        • Opcode Fuzzy Hash: 7197c73b67966d2c05e0f155165b38c2724e0a0689cce004df1f3a6dbf461eb2
                        • Instruction Fuzzy Hash: E5E0A03252862456E62037628C00B9B36589F837A0B1A813BEC05B23D2DA3D9C0281EE
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00402900 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: __vfwprintf_l
                        • String ID:
                        • API String ID: 1051920573-0
                        • Opcode ID: 4d69f74b89572369ab4cd514bd66c354dd54c20530531eb6c8588fd7e28fb9ab
                        • Instruction ID: dda2a424f9dfb230d2d17bcba1e4d99089c80eb14b1ff097ce4a2c0987242356
                        • Opcode Fuzzy Hash: 4d69f74b89572369ab4cd514bd66c354dd54c20530531eb6c8588fd7e28fb9ab
                        • Instruction Fuzzy Hash: D6E04FB5D0020CBFEB00EF94D946B9EB7B8DB44714F1081AAED08A7381E671AB548BD1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 021915B0 Relevance: 1.3, APIs: 1, Instructions: 54memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0219161D
                        Memory Dump Source
                        • Source File: 00000000.00000002.363499699.0000000002191000.00000040.00000800.00020000.00000000.sdmp, Offset: 02191000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2191000_hiYc6Vnppc.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: 4942eef3a4c88f155bb713efe5b06165db6af9eebc5dce0602efc692b8fa8211
                        • Instruction ID: 95ff04dc53759079b81dda5ecfc6480a4533b3a8147d84d4e8f9b235e41ad694
                        • Opcode Fuzzy Hash: 4942eef3a4c88f155bb713efe5b06165db6af9eebc5dce0602efc692b8fa8211
                        • Instruction Fuzzy Hash: 161170B2A85602AFC7108E29C88061BB7E5EBC4761F0AC52CE59C97354D770BC818A91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02191644 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                        Download Yara Rule
                        APIs
                        • VirtualFree.KERNEL32(00000000,00000000,00004000,?,?,?,02234000,02238003,021918AB), ref: 0219169E
                        Memory Dump Source
                        • Source File: 00000000.00000002.363499699.0000000002191000.00000040.00000800.00020000.00000000.sdmp, Offset: 02191000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2191000_hiYc6Vnppc.jbxd
                        Similarity
                        • API ID: FreeVirtual
                        • String ID:
                        • API String ID: 1263568516-0
                        • Opcode ID: a6588ff0857fcda20d917424285aa3d12d31db5a27c2bc08e481ed936e3fd1a5
                        • Instruction ID: 0731db6e199c8bd5ba4742154c54d89448051df58fa160ebc712dd0685f7c7c0
                        • Opcode Fuzzy Hash: a6588ff0857fcda20d917424285aa3d12d31db5a27c2bc08e481ed936e3fd1a5
                        • Instruction Fuzzy Hash: 2101FC76AC9205AFC7109E28DDC0B2A77E4E784324F1A057CDD8997341D3727C918BE4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 021BCC20 Relevance: 1.3, APIs: 1, Instructions: 15memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNELBASE(00000000,00000014,00001000,00000040,?,?,021C9A33,?,?,?), ref: 021BCC38
                        Memory Dump Source
                        • Source File: 00000000.00000002.363499699.0000000002191000.00000040.00000800.00020000.00000000.sdmp, Offset: 02191000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2191000_hiYc6Vnppc.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: 838e851495497d3d5afa8b318cb7ff378629cfaa9fb05e00bb555cd0a7b66b47
                        • Instruction ID: a5a7dcdcbd1848b47653be29c046453aefa93220a78feefc90da5a6fa9f436de
                        • Opcode Fuzzy Hash: 838e851495497d3d5afa8b318cb7ff378629cfaa9fb05e00bb555cd0a7b66b47
                        • Instruction Fuzzy Hash: 56D012B13422306FE321C6999C81F9267D8DB4D7A1F100161F70CDB2D0D1A05C008794
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 021BCC40 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                        Download Yara Rule
                        APIs
                        • VirtualFree.KERNELBASE(?,00000000,00008000,021CCD3D,?,?,?,?,021CCE2B), ref: 021BCC52
                        Memory Dump Source
                        • Source File: 00000000.00000002.363499699.0000000002191000.00000040.00000800.00020000.00000000.sdmp, Offset: 02191000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2191000_hiYc6Vnppc.jbxd
                        Similarity
                        • API ID: FreeVirtual
                        • String ID:
                        • API String ID: 1263568516-0
                        • Opcode ID: e2c4764dff1ecaae3db098727c0146a5abe1626fb41be33696b4ea2629586872
                        • Instruction ID: 3e663ec16be015ef2f22a688faa9b046520748fc7148a49cc77a972741ce680b
                        • Opcode Fuzzy Hash: e2c4764dff1ecaae3db098727c0146a5abe1626fb41be33696b4ea2629586872
                        • Instruction Fuzzy Hash: C2C092703922009FD281CB48CC81F0233E8BB88B00F400090F104CF2E0CA60A8008B00
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Non-executed Functions

                        Function 021C030C Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 117COMMON
                        Download Yara Rule
                        APIs
                        • GetVersionExA.KERNEL32(0000009C), ref: 021C0392
                          • Part of subcall function 021C07C4: GetVersionExA.KERNEL32(?,00000000,021C0882,?,00000000,?,021C0355), ref: 021C081B
                        • GetVersionExA.KERNEL32(0000009C), ref: 021C0361
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.363499699.0000000002191000.00000040.00000800.00020000.00000000.sdmp, Offset: 02191000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2191000_hiYc6Vnppc.jbxd
                        Similarity
                        • API ID: Version
                        • String ID: LANMANNT$ProductType$SERVERNT$System\CurrentControlSet\Control\ProductOptions$WINNT
                        • API String ID: 1889659487-2290413088
                        • Opcode ID: 7fa826ca762c21524171d1692875f52ff24398293587ec527133de40558e0935
                        • Instruction ID: f68ec0ae43b499c5885e77cdb1af6e4662993983a8b1a1da2ed3a84748e72be6
                        • Opcode Fuzzy Hash: 7fa826ca762c21524171d1692875f52ff24398293587ec527133de40558e0935
                        • Instruction Fuzzy Hash: 2031B53CAC9248DEEF24DAA489417EB77A9DB3E308F7650AED451E7141D7348542CB11
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 021BDB00 Relevance: 10.6, APIs: 7, Instructions: 81nativewindowCOMMON
                        Download Yara Rule
                        APIs
                        • SetFocus.USER32(021E50A0), ref: 021BDB3C
                        • DestroyWindow.USER32(?), ref: 021BDB6D
                        • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 021BDBDD
                        Memory Dump Source
                        • Source File: 00000000.00000002.363499699.0000000002191000.00000040.00000800.00020000.00000000.sdmp, Offset: 02191000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2191000_hiYc6Vnppc.jbxd
                        Similarity
                        • API ID: Window$DestroyFocusNtdllProc_
                        • String ID:
                        • API String ID: 3483532353-0
                        • Opcode ID: 490edbf8bd2c721184d250125d638ef9b62d63bf77115012812aec7536fff93b
                        • Instruction ID: cc063dfc4463f3189d06828fd00661891f643978d276b8579d49f208b10cd036
                        • Opcode Fuzzy Hash: 490edbf8bd2c721184d250125d638ef9b62d63bf77115012812aec7536fff93b
                        • Instruction Fuzzy Hash: F2210C752C4149AFDF2EDEA8EA84EEA37BABF46314F408811F9158B245C771D940CB61
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0040ED28 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1427COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: __floor_pentium4
                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                        • API String ID: 4168288129-2761157908
                        • Opcode ID: cc40a9a354b5e79e9c4b01d85ad401466cbd0923e17a0a0cc4f6c77154fe8870
                        • Instruction ID: 700f4b05c05fc33e27dfa3181a2f160ffe134a85e0109692c7d4d5c562555375
                        • Opcode Fuzzy Hash: cc40a9a354b5e79e9c4b01d85ad401466cbd0923e17a0a0cc4f6c77154fe8870
                        • Instruction Fuzzy Hash: A5D21671E086298BDB74CE28DD407EAB7B5EB48304F1445FBD80DE6680E778AE858F45
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 021B02C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileA.KERNEL32(021D6538,00000000,00000000,00000000,00000000,04000000,00000000,00000000,021B03B2), ref: 021B0340
                        • DeviceIoControl.KERNEL32(00000000,00000001,?,000000FF,00000000,00000000,?,00000000), ref: 021B0375
                        • CloseHandle.KERNEL32(00000000,00000000,00000001,?,000000FF,00000000,00000000,?,00000000,021D6538,00000000,00000000,00000000,00000000,04000000,00000000), ref: 021B038C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.363499699.0000000002191000.00000040.00000800.00020000.00000000.sdmp, Offset: 02191000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2191000_hiYc6Vnppc.jbxd
                        Similarity
                        • API ID: CloseControlCreateDeviceFileHandle
                        • String ID: \System\SER.VXD
                        • API String ID: 33631002-3682912164
                        • Opcode ID: 1e0282aab2371dff24e1881e7013f3580ac6725029c8f305e6b543f033199f48
                        • Instruction ID: d68db4b9dec83bb252a5eabfa0444256cfd63e1e59022f29436558ae89688f8f
                        • Opcode Fuzzy Hash: 1e0282aab2371dff24e1881e7013f3580ac6725029c8f305e6b543f033199f48
                        • Instruction Fuzzy Hash: B7213A70684708AFEF25EA64CC81FDFB3BA9F48B04F5041A1EA15B62D0E770AF458E54
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0219D318 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 92timeCOMMON
                        Download Yara Rule
                        APIs
                        • GetLocalTime.KERNEL32(?,00000000,0219D475), ref: 0219D3F0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.363499699.0000000002191000.00000040.00000800.00020000.00000000.sdmp, Offset: 02191000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2191000_hiYc6Vnppc.jbxd
                        Similarity
                        • API ID: LocalTime
                        • String ID: \pagefile.sys$\win386.swp
                        • API String ID: 481472006-523492860
                        • Opcode ID: 17ee8876ddd076df86674572699c3c01ef133038eea6bcdcf5313fac63975d8a
                        • Instruction ID: b61209b8f33ccc02941ac3f828f2167b5aae719e4f401be7a5893b6d3d9ee97e
                        • Opcode Fuzzy Hash: 17ee8876ddd076df86674572699c3c01ef133038eea6bcdcf5313fac63975d8a
                        • Instruction Fuzzy Hash: 0541F97598011EAADF14FFA4E9406EEF3B6EF09700F9084A1D814A3650EB34AF86CF54
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0040E890 Relevance: 3.4, APIs: 2, Instructions: 450COMMONLIBRARYCODE
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: cc068ba184f046630bd6e991861b1c485ec8df6db27087624b5ea5709390ad56
                        • Instruction ID: 93103586a9ceef539f4d77e427c28f4fddcfd0274641bc4b714935a846fb8d0a
                        • Opcode Fuzzy Hash: cc068ba184f046630bd6e991861b1c485ec8df6db27087624b5ea5709390ad56
                        • Instruction Fuzzy Hash: 04F15E71E002199FDF14CFA9C8806AEBBB1FF88314F15866AD819B7381D735AE11CB94
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0040AFFB Relevance: 3.1, APIs: 2, Instructions: 99COMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000001), ref: 0040B0C1
                        • _free.LIBCMT ref: 0040B212
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: FileFindFirst_free
                        • String ID:
                        • API String ID: 689657435-0
                        • Opcode ID: c1f910429d05cc122be3c01fd4a31821299b5684f1fa7cd948e5ddd0da83f145
                        • Instruction ID: 3a06af1e6300e4e127c8887008a413e0802c581576144d9922c8d82b7aa4bf47
                        • Opcode Fuzzy Hash: c1f910429d05cc122be3c01fd4a31821299b5684f1fa7cd948e5ddd0da83f145
                        • Instruction Fuzzy Hash: FA3146B19401195DDB20AE289CC9AFF73A9DB55308F1441FFE069B2281DB3C0D865AAD
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004058B3 Relevance: 3.1, APIs: 2, Instructions: 78COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • SetUnhandledExceptionFilter.KERNEL32(00000000,C0000417), ref: 004059B5
                        • UnhandledExceptionFilter.KERNEL32(?), ref: 004059C2
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExceptionFilterUnhandled
                        • String ID:
                        • API String ID: 3192549508-0
                        • Opcode ID: 278b6c8511ce4885e9e9a60dbedda2120ae860790f788ef9bfeee9684b46457a
                        • Instruction ID: c0f7e2639cc15ccb9ad2660c6562d585f881661a6f141bcdf271140660008c86
                        • Opcode Fuzzy Hash: 278b6c8511ce4885e9e9a60dbedda2120ae860790f788ef9bfeee9684b46457a
                        • Instruction Fuzzy Hash: C831B774901218ABCB21DF69DD897CDBBB8FF48310F5041EAE40CA6290E7749F858F58
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0040305E Relevance: 3.1, APIs: 2, Instructions: 74COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • SetUnhandledExceptionFilter.KERNEL32 ref: 00403156
                        • UnhandledExceptionFilter.KERNEL32(?), ref: 00403160
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExceptionFilterUnhandled
                        • String ID:
                        • API String ID: 3192549508-0
                        • Opcode ID: ce84cf3e23d0a6d24fc64c1201c671d3d84a3822d3d9aeb5b60701af25b0ac0a
                        • Instruction ID: e15de0840396deee12bf487befc3ad599f0f8ddb44ab4a27ce5d1cfb50ba4540
                        • Opcode Fuzzy Hash: ce84cf3e23d0a6d24fc64c1201c671d3d84a3822d3d9aeb5b60701af25b0ac0a
                        • Instruction Fuzzy Hash: 74314974C05218DADB20EFA5D949BCDBBF8BF08704F1041AAE50CAB290EB754B858F48
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004034F4 Relevance: 3.1, APIs: 2, Instructions: 68COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00403614,00415280), ref: 004034F9
                        • UnhandledExceptionFilter.KERNEL32(00403614,?,00403614,00415280), ref: 00403502
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExceptionFilterUnhandled
                        • String ID:
                        • API String ID: 3192549508-0
                        • Opcode ID: af3a45c08fad757f82921cc3e9b6b718968e3112f9aed18eea1a0ffc111d50bc
                        • Instruction ID: 2cef8b53940ec940ed0f6b120f7b0ff0cabf1ee129e833cc2620446197af3020
                        • Opcode Fuzzy Hash: af3a45c08fad757f82921cc3e9b6b718968e3112f9aed18eea1a0ffc111d50bc
                        • Instruction Fuzzy Hash: A731F3F4911308AED700DF95FA857C4BBE4BB4C314F10C07AE9248B2A1E3B499818F4E
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 021976A4 Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
                        Download Yara Rule
                        APIs
                        • FindFirstFileA.KERNEL32(00000000,?,?,?,00000001,0219D3C5,00000000,0219D475), ref: 021976BF
                        • GetLastError.KERNEL32(00000000,?,?,?,00000001,0219D3C5,00000000,0219D475), ref: 021976E4
                          • Part of subcall function 02197640: FileTimeToLocalFileTime.KERNEL32(?), ref: 0219766D
                          • Part of subcall function 02197640: FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0219767C
                          • Part of subcall function 021976F4: FindClose.KERNEL32(?,?,021976E2,00000000,?,?,?,00000001,0219D3C5,00000000,0219D475), ref: 02197700
                        Memory Dump Source
                        • Source File: 00000000.00000002.363499699.0000000002191000.00000040.00000800.00020000.00000000.sdmp, Offset: 02191000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2191000_hiYc6Vnppc.jbxd
                        Similarity
                        • API ID: FileTime$Find$CloseDateErrorFirstLastLocal
                        • String ID:
                        • API String ID: 976985129-0
                        • Opcode ID: b5e50eb9cc6753a5917c91f2fc53f76d5f4e7345019d2f3b76ed9a216832b6ef
                        • Instruction ID: 9ca68950636f62f89ee8bb43cc284518a9b2220cfcb72cf4a6c50f9fcd01cf72
                        • Opcode Fuzzy Hash: b5e50eb9cc6753a5917c91f2fc53f76d5f4e7345019d2f3b76ed9a216832b6ef
                        • Instruction Fuzzy Hash: D7E0EDF3B821200B1F24AE7D08C085B958A5E846A430A06B6E928CB285DB20CC138BE0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00413682 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • RaiseException.KERNEL32(C000000D,00000000,00000001,00000000,?,00000008,?,?,0041367D,00000000,?,00000008,?,?,00413315,00000000), ref: 004138AF
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExceptionRaise
                        • String ID:
                        • API String ID: 3997070919-0
                        • Opcode ID: 07a9c044905a7755e1628af98819a7d89e5252ef390c8c07ee61c138e53a6736
                        • Instruction ID: 43ccbb8978d24294af21c5e24cbed49dd1552a47edfa67c3174935a437176aa5
                        • Opcode Fuzzy Hash: 07a9c044905a7755e1628af98819a7d89e5252ef390c8c07ee61c138e53a6736
                        • Instruction Fuzzy Hash: B5B15FB5610604DFD714CF28C486BA57BE0FF45365F258659E89ACF3A1C339EA82CB44
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0040AF20 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c739d1c6a14957cf84208182ce6e984cf96ad2e5ab5aa13e32033f575219186c
                        • Instruction ID: 5083aece22af5d6506588a6007101e4044cb119c2caf6c63f0728d65b2a9198a
                        • Opcode Fuzzy Hash: c739d1c6a14957cf84208182ce6e984cf96ad2e5ab5aa13e32033f575219186c
                        • Instruction Fuzzy Hash: 2141B8B1804219AFDB10DF69CC89AEEB7B8EF45304F1442EEE41DE3241D6359E848F54
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02197878 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                        Download Yara Rule
                        APIs
                        • GetDiskFreeSpaceA.KERNEL32(00000000,?,?,?,?), ref: 02197899
                        Memory Dump Source
                        • Source File: 00000000.00000002.363499699.0000000002191000.00000040.00000800.00020000.00000000.sdmp, Offset: 02191000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2191000_hiYc6Vnppc.jbxd
                        Similarity
                        • API ID: DiskFreeSpace
                        • String ID:
                        • API String ID: 1705453755-0
                        • Opcode ID: c982e1cf5a99f9fa9977126e6836e47726ecb48f5223997347083cec8e94bb96
                        • Instruction ID: 900796ddfd377ad557e8ce50e303a99ec6105d4a55e6f4db030cc9cf634e4845
                        • Opcode Fuzzy Hash: c982e1cf5a99f9fa9977126e6836e47726ecb48f5223997347083cec8e94bb96
                        • Instruction Fuzzy Hash: BE11DEB5E00209AF9B04CF99C881DEFF7FAEFC8310B54C569A519E7254E7319E018BA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00407A6D Relevance: 1.5, APIs: 1, Instructions: 26COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitProcess
                        • String ID:
                        • API String ID: 621844428-0
                        • Opcode ID: b67e660137902377c1bd5e8862efe3acc6fd731f5ed8225fc8030fa3c10f366e
                        • Instruction ID: 84f479360f2e6d1c16921b4ec698a4041345c7a25e0006a90db0867a96083481
                        • Opcode Fuzzy Hash: b67e660137902377c1bd5e8862efe3acc6fd731f5ed8225fc8030fa3c10f366e
                        • Instruction Fuzzy Hash: 33E09B30614504EBCE11BBA4CD54A8E3F14EB40310F148426F80455292CB3DFE90DD6A
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00406644 Relevance: 1.5, Strings: 1, Instructions: 216COMMONLIBRARYCODE
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 0
                        • API String ID: 0-4108050209
                        • Opcode ID: da55992896ce73b64e7b67eea58183c9fc9bd325487895a0f581d5c018ec2773
                        • Instruction ID: 091bdf5e62febd5a6e5c309a2fb1bc7011397078684b298c3d94b91c72984d1b
                        • Opcode Fuzzy Hash: da55992896ce73b64e7b67eea58183c9fc9bd325487895a0f581d5c018ec2773
                        • Instruction Fuzzy Hash: 7E514A7020064856DB388A2985957BF779D9B42308F1A093FD883FB3C1C63EED75866E
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 021B62D8 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.363499699.0000000002191000.00000040.00000800.00020000.00000000.sdmp, Offset: 02191000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2191000_hiYc6Vnppc.jbxd
                        Similarity
                        • API ID:
                        • String ID: 112
                        • API String ID: 0-1616928578
                        • Opcode ID: 51ed2acf174c034bf2c63cc17347112237f39fa7203f243bb2fd59fbc9bbd760
                        • Instruction ID: 58bece57dd903f3298f53a1d3169ea30d59a4bbdd23b97fa8736713366feacf5
                        • Opcode Fuzzy Hash: 51ed2acf174c034bf2c63cc17347112237f39fa7203f243bb2fd59fbc9bbd760
                        • Instruction Fuzzy Hash: B741B681BC75909FEA877AAC54C03EE01774F66B44FE18270D2229F789D75ACD138746
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00403314 Relevance: 1.4, Strings: 1, Instructions: 144COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: W
                        • API String ID: 0-655174618
                        • Opcode ID: c80711a0b236d99cd74dafb75a8a59689c6365c265bd71a030c434548d86ce2b
                        • Instruction ID: 0b183b952898a98bf0ba082220faadc0810cbbd59001941ec5845be169b6f62d
                        • Opcode Fuzzy Hash: c80711a0b236d99cd74dafb75a8a59689c6365c265bd71a030c434548d86ce2b
                        • Instruction Fuzzy Hash: 10518BB1E412158BDB15CF98E9C56AABBF5FB48311F24C47AD801EB390D3799A01CF98
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0040CE43 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: HeapProcess
                        • String ID:
                        • API String ID: 54951025-0
                        • Opcode ID: c088a4e7cdaace391546c98e6f03870cdb8fddc72efc3a2188784a25f1d99e84
                        • Instruction ID: 3286082713fb0e4feee6c1c44b1ee69f1d997f3bc81a95e81afb07cc7afa2fce
                        • Opcode Fuzzy Hash: c088a4e7cdaace391546c98e6f03870cdb8fddc72efc3a2188784a25f1d99e84
                        • Instruction Fuzzy Hash: 8BA022B0E00B00CF83008F32EE083CC3BE8BA822CA302C038A00BC0230EB388080CF08
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 021AC980 Relevance: .3, Instructions: 258COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.363499699.0000000002191000.00000040.00000800.00020000.00000000.sdmp, Offset: 02191000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2191000_hiYc6Vnppc.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a5797c28ce8b9f195c1b73362480e9bd58889a08c9dc1d6cf2cd085d4bf685f5
                        • Instruction ID: 3be9d5ee7d1adbe4892fabd05f5ec20b97f20376f65cd5a5e63c8f7b980b318a
                        • Opcode Fuzzy Hash: a5797c28ce8b9f195c1b73362480e9bd58889a08c9dc1d6cf2cd085d4bf685f5
                        • Instruction Fuzzy Hash: 10918E39E842198FDB14DFA8C5A0AAEB7F2FB48350F11412AD816B7350DB75A945CFE0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 021AB1D8 Relevance: .2, Instructions: 209COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.363499699.0000000002191000.00000040.00000800.00020000.00000000.sdmp, Offset: 02191000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2191000_hiYc6Vnppc.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 29b69c7b6c9fb4bda54e62216c6989b30310bfede9ef9a0868b46e5daf6878b3
                        • Instruction ID: bf1eddeffad3c78b32d11faf22ad25571a516f53603ce7c82d888a32e70f6eae
                        • Opcode Fuzzy Hash: 29b69c7b6c9fb4bda54e62216c6989b30310bfede9ef9a0868b46e5daf6878b3
                        • Instruction Fuzzy Hash: BF719E78B486969FC714CE18C4E0A2AF7A2FF99314F15CA19E8A58B705D330F991CBD1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00411E9C Relevance: .1, Instructions: 104COMMONLIBRARYCODE
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: dc71be762f8715ad9d13bf709785b6f6890c6ba34153193cbe57788e69b67264
                        • Instruction ID: e4ea8aaf837ab143f23aed2b2e1d598ac991040530ec36f8ff5c61d4c98b7a59
                        • Opcode Fuzzy Hash: dc71be762f8715ad9d13bf709785b6f6890c6ba34153193cbe57788e69b67264
                        • Instruction Fuzzy Hash: 5421B373F204394B7B0CC57E8C522BDB6E1C68C601745823EF8A6EA2C1D968D917E2E4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00411D7C Relevance: .1, Instructions: 81COMMONLIBRARYCODE
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d6f16113cdf5bf2b607b985eb23ac49171c0cec118e5f3d8ce175772f06a074c
                        • Instruction ID: 135671fd2a4c67b99fd5a0fcb7c452cc2b762ad6384b67a36051f366f17fd56f
                        • Opcode Fuzzy Hash: d6f16113cdf5bf2b607b985eb23ac49171c0cec118e5f3d8ce175772f06a074c
                        • Instruction Fuzzy Hash: EB11CA33F30C255B675C81AD8C132BA91D2DBD824071F533AD826E72C4E9A4DE13D290
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0040C39C Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0bd13e8db2f9529ace82a69afeb937bb4eaa021dae9aa292d34fedb844de8450
                        • Instruction ID: d757c09329a45aec2d5af0cab6efca3ad2814e3c05feaacd6f1d17020de67398
                        • Opcode Fuzzy Hash: 0bd13e8db2f9529ace82a69afeb937bb4eaa021dae9aa292d34fedb844de8450
                        • Instruction Fuzzy Hash: 88E08C32921238EBCB14DB89C98498EF3ECEB44B04B1141ABF901E3281C278EF00C7D4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 021C0A10 Relevance: .0, Instructions: 2COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.363499699.0000000002191000.00000040.00000800.00020000.00000000.sdmp, Offset: 02191000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2191000_hiYc6Vnppc.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4c0459424f1116aad770ded283a34064420ff478638f7431598b181d6a31c336
                        • Instruction ID: 515e982fcc113093bc8b9341a6cdcd2dd9e3cb9215dfa8f3b5e9b2f25e208636
                        • Opcode Fuzzy Hash: 4c0459424f1116aad770ded283a34064420ff478638f7431598b181d6a31c336
                        • Instruction Fuzzy Hash:
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 021BDBEC Relevance: 38.7, APIs: 18, Strings: 4, Instructions: 164windowregistryCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleA.KERNEL32(00000000,?,?), ref: 021BDC49
                        • LoadIconA.USER32(021E50B0,MAINICON), ref: 021BDC7C
                        • LoadCursorA.USER32(00000000,00007F00), ref: 021BDC8B
                        • RegisterClassA.USER32(021E5068), ref: 021BDCA8
                        • SetWindowTextA.USER32(021E50A4,021D725E), ref: 021BDCF8
                        • SetWindowTextA.USER32(021E50AC,Name:), ref: 021BDD08
                        • SetWindowTextA.USER32(021E50A8,Code:), ref: 021BDD18
                        • ShowWindow.USER32(021E5090,00000001,021E50A8,Code:,021E50AC,Name:,021E50A4,021D725E,021E5068,00000000,00007F00,021E50B0,MAINICON,00000000,?,?), ref: 021BDD25
                        • SetFocus.USER32(021E50A0,021E5090,00000001,021E50A8,Code:,021E50AC,Name:,021E50A4,021D725E,021E5068,00000000,00007F00,021E50B0,MAINICON,00000000,?), ref: 021BDD30
                        • GetFocus.USER32 ref: 021BDD48
                        • DestroyWindow.USER32(021E5090,021E50B4,00000000,00000000,00000000,021E50A0,021E5090,00000001,021E50A8,Code:,021E50AC,Name:,021E50A4,021D725E,021E5068,00000000), ref: 021BDD94
                        • TranslateMessage.USER32(021E50B4), ref: 021BDD9A
                        • DispatchMessageA.USER32(021E50B4), ref: 021BDDA0
                        • GetMessageA.USER32(021E50B4,00000000,00000000,00000000), ref: 021BDDAC
                        • DestroyWindow.USER32(021E509C,021E50B4,00000000,00000000,00000000,021E50A0,021E5090,00000001,021E50A8,Code:,021E50AC,Name:,021E50A4,021D725E,021E5068,00000000), ref: 021BDDC5
                        • DestroyWindow.USER32(021E50A0,021E509C,021E50B4,00000000,00000000,00000000,021E50B4,021E50B4,021E50B4,00000000,00000000,00000000,021E50A0,021E5090,00000001,021E50A8), ref: 021BDDD0
                        • DestroyWindow.USER32(021E5094,021E50A0,021E509C,021E50B4,00000000,00000000,00000000,021E50B4,021E50B4,021E50B4,00000000,00000000,00000000,021E50A0,021E5090,00000001), ref: 021BDDDB
                        • DestroyWindow.USER32(021E5098,021E5094,021E50A0,021E509C,021E50B4,00000000,00000000,00000000,021E50B4,021E50B4,021E50B4,00000000,00000000,00000000,021E50A0,021E5090), ref: 021BDDE6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.363499699.0000000002191000.00000040.00000800.00020000.00000000.sdmp, Offset: 02191000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2191000_hiYc6Vnppc.jbxd
                        Similarity
                        • API ID: Window$Destroy$MessageText$FocusLoad$ClassCursorDispatchHandleIconModuleRegisterShowTranslate
                        • String ID: Code:$KeysDialog$MAINICON$Name:
                        • API String ID: 3228851985-2456160341
                        • Opcode ID: 7e25ec50c674fa702ea8227d9ec6abe11f33d4371848f0ca810fe899477c5896
                        • Instruction ID: dad30b0380e2f10379008b7aa038784a50c53d5538a83b8550099020f6c6c6aa
                        • Opcode Fuzzy Hash: 7e25ec50c674fa702ea8227d9ec6abe11f33d4371848f0ca810fe899477c5896
                        • Instruction Fuzzy Hash: F2515E71AC0284AFDF55EFB8AC80B9B37FAAF45714F840914F548DF281C73699508BA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 021BD88C Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 172windowCOMMON
                        Download Yara Rule
                        APIs
                        • CreateWindowExA.USER32(00000200,EDIT,021BDA7C,50000180,00000037,0000002B,00000122,00000015,00000000,00000000,00000000,00000000), ref: 021BD8C1
                        • CreateWindowExA.USER32(00000200,EDIT,021BDA7C,50000180,00000037,00000043,00000122,00000015,00000000,00000000,00000000,00000000), ref: 021BD8F4
                        • SendMessageA.USER32(021E50A8,00000030,00000000,00000001), ref: 021BDA22
                        • SendMessageA.USER32(021E50AC,00000030,00000000,00000001), ref: 021BDA32
                        • SendMessageA.USER32(021E509C,00000030,00000000,00000001), ref: 021BDA42
                        • SendMessageA.USER32(021E50A0,00000030,00000000,00000001), ref: 021BDA52
                        • SendMessageA.USER32(021E5094,00000030,00000000,00000001), ref: 021BDA62
                        • SendMessageA.USER32(021E5098,00000030,00000000,00000001), ref: 021BDA72
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.363499699.0000000002191000.00000040.00000800.00020000.00000000.sdmp, Offset: 02191000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2191000_hiYc6Vnppc.jbxd
                        Similarity
                        • API ID: MessageSend$CreateWindow
                        • String ID: BUTTON$Cancel$EDIT$MS Sans Serif$Static
                        • API String ID: 2286652126-4222191983
                        • Opcode ID: 20205cbbc39bc124f8671bd1c47afbd7f8d319b348801977a10d16d256378065
                        • Instruction ID: 0b87a7f94f36a4e4520e01d848f9b32053f4bdb5cf7a6fe57b6ead35b1b2cb7b
                        • Opcode Fuzzy Hash: 20205cbbc39bc124f8671bd1c47afbd7f8d319b348801977a10d16d256378065
                        • Instruction Fuzzy Hash: 5851EAB07C4344BFFA2596A49CA3FA732AEEB05F44F500511B744BF2C6C6E69D408BA4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0040CAB9 Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • ___free_lconv_mon.LIBCMT ref: 0040CAFD
                          • Part of subcall function 0040C672: _free.LIBCMT ref: 0040C68F
                          • Part of subcall function 0040C672: _free.LIBCMT ref: 0040C6A1
                          • Part of subcall function 0040C672: _free.LIBCMT ref: 0040C6B3
                          • Part of subcall function 0040C672: _free.LIBCMT ref: 0040C6C5
                          • Part of subcall function 0040C672: _free.LIBCMT ref: 0040C6D7
                          • Part of subcall function 0040C672: _free.LIBCMT ref: 0040C6E9
                          • Part of subcall function 0040C672: _free.LIBCMT ref: 0040C6FB
                          • Part of subcall function 0040C672: _free.LIBCMT ref: 0040C70D
                          • Part of subcall function 0040C672: _free.LIBCMT ref: 0040C71F
                          • Part of subcall function 0040C672: _free.LIBCMT ref: 0040C731
                          • Part of subcall function 0040C672: _free.LIBCMT ref: 0040C743
                          • Part of subcall function 0040C672: _free.LIBCMT ref: 0040C755
                          • Part of subcall function 0040C672: _free.LIBCMT ref: 0040C767
                        • _free.LIBCMT ref: 0040CAF2
                          • Part of subcall function 00408E1B: HeapFree.KERNEL32(00000000,00000000,?,0040C803,?,00000000,?,?,?,0040C82A,?,00000007,?,?,0040CC50,?), ref: 00408E31
                          • Part of subcall function 00408E1B: GetLastError.KERNEL32(?,?,0040C803,?,00000000,?,?,?,0040C82A,?,00000007,?,?,0040CC50,?,?), ref: 00408E43
                        • _free.LIBCMT ref: 0040CB14
                        • _free.LIBCMT ref: 0040CB29
                        • _free.LIBCMT ref: 0040CB34
                        • _free.LIBCMT ref: 0040CB56
                        • _free.LIBCMT ref: 0040CB69
                        • _free.LIBCMT ref: 0040CB77
                        • _free.LIBCMT ref: 0040CB82
                        • _free.LIBCMT ref: 0040CBBA
                        • _free.LIBCMT ref: 0040CBC1
                        • _free.LIBCMT ref: 0040CBDE
                        • _free.LIBCMT ref: 0040CBF6
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                        • String ID:
                        • API String ID: 161543041-0
                        • Opcode ID: 972bdd526d1857f33f2cfbb3207d02e764111e5aaf54e4dd0e5a1bea27d1970c
                        • Instruction ID: 5e640baffe88ff543c4b5248080f9926c4d6a7127ad1542a4239fcd7b63fbcba
                        • Opcode Fuzzy Hash: 972bdd526d1857f33f2cfbb3207d02e764111e5aaf54e4dd0e5a1bea27d1970c
                        • Instruction Fuzzy Hash: 92313C71500601DBEB319B39E986B5773E4AF80324F104A3FE495E72D1DE39BC91CA58
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004048DB Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 303COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • type_info::operator==.LIBVCRUNTIME ref: 004049FA
                        • ___TypeMatch.LIBVCRUNTIME ref: 00404B08
                        • _UnwindNestedFrames.LIBCMT ref: 00404C5A
                        • CallUnexpected.LIBVCRUNTIME ref: 00404C75
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                        • String ID: csm$csm$csm$|RA$-7
                        • API String ID: 2751267872-3464069488
                        • Opcode ID: 59d04053296473e66128c3bdc461578824f9f13455be5ce2afd6863cd177567a
                        • Instruction ID: 1482bd04149e20280335e9136dc6a4e04a11bd16c6dbbadd322b8a04db4731b9
                        • Opcode Fuzzy Hash: 59d04053296473e66128c3bdc461578824f9f13455be5ce2afd6863cd177567a
                        • Instruction Fuzzy Hash: C5B16AB1900209AFCF14DFA5C941AAFB7B5BF84314B15417BEA007B292D339EA51CF99
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004089C8 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                        Download Yara Rule
                        APIs
                        • _free.LIBCMT ref: 004089DE
                          • Part of subcall function 00408E1B: HeapFree.KERNEL32(00000000,00000000,?,0040C803,?,00000000,?,?,?,0040C82A,?,00000007,?,?,0040CC50,?), ref: 00408E31
                          • Part of subcall function 00408E1B: GetLastError.KERNEL32(?,?,0040C803,?,00000000,?,?,?,0040C82A,?,00000007,?,?,0040CC50,?,?), ref: 00408E43
                        • _free.LIBCMT ref: 004089EA
                        • _free.LIBCMT ref: 004089F5
                        • _free.LIBCMT ref: 00408A00
                        • _free.LIBCMT ref: 00408A0B
                        • _free.LIBCMT ref: 00408A16
                        • _free.LIBCMT ref: 00408A21
                        • _free.LIBCMT ref: 00408A2C
                        • _free.LIBCMT ref: 00408A37
                        • _free.LIBCMT ref: 00408A45
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$ErrorFreeHeapLast
                        • String ID:
                        • API String ID: 776569668-0
                        • Opcode ID: 0bb2f9d78abe6cf057f5e0f5333418b608d41883d368f811a40c01ca910e8a49
                        • Instruction ID: e330f03267eae28a21fca3fc63cab5fce96350ed1dfa2297df4441d34f55a0cf
                        • Opcode Fuzzy Hash: 0bb2f9d78abe6cf057f5e0f5333418b608d41883d368f811a40c01ca910e8a49
                        • Instruction Fuzzy Hash: 3221F676900108AFCF41EF95C981CDE7BB8AF88314F0080AAF545EB162DB35EA55CB84
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00404090 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 120COMMON
                        Download Yara Rule
                        APIs
                        • _ValidateLocalCookies.LIBCMT ref: 004040C7
                        • ___except_validate_context_record.LIBVCRUNTIME ref: 004040CF
                        • _ValidateLocalCookies.LIBCMT ref: 00404158
                        • __IsNonwritableInCurrentImage.LIBCMT ref: 00404183
                        • _ValidateLocalCookies.LIBCMT ref: 004041D8
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                        • String ID: 0@$`B@$csm
                        • API String ID: 1170836740-2734781928
                        • Opcode ID: fd6f7a57359c823ea29376dfd258a425a8f9a08301f99e407a3009433b5108e6
                        • Instruction ID: 0fb5d205e58dbabe529ead84677bfbcdc4414c3c072106fa712b5e9646839d99
                        • Opcode Fuzzy Hash: fd6f7a57359c823ea29376dfd258a425a8f9a08301f99e407a3009433b5108e6
                        • Instruction Fuzzy Hash: 5041A374A00208ABCF10DF69DC88A9F7BA1EF85314F148166E9147B3D2D7399D51CB95
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0219B03C Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                        Download Yara Rule
                        APIs
                        • GetThreadLocale.KERNEL32(00000000,0219B307,?,?,00000000,00000000), ref: 0219B072
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.363499699.0000000002191000.00000040.00000800.00020000.00000000.sdmp, Offset: 02191000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2191000_hiYc6Vnppc.jbxd
                        Similarity
                        • API ID: LocaleThread
                        • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                        • API String ID: 635194068-2493093252
                        • Opcode ID: 753609f3c2d86b34fe57b0d9e29f2d1eb5034f3b89cce89a0ddabb32c26a1306
                        • Instruction ID: 6b0064680c6f1c9d11ce2ee333375acf2f52f3ba09c6c9412349255e2f4e7676
                        • Opcode Fuzzy Hash: 753609f3c2d86b34fe57b0d9e29f2d1eb5034f3b89cce89a0ddabb32c26a1306
                        • Instruction Fuzzy Hash: D6612D31B85248DFDF00EBA4D980A9FB7BBAB48304F508479E111AB345DB34EA46CB54
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0040BF94 Relevance: 12.2, APIs: 8, Instructions: 203COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$___from_strstr_to_strchr
                        • String ID:
                        • API String ID: 3409252457-0
                        • Opcode ID: 991d796795e5b6876fbac61f70163761d07ad06e779fb8e2784dbb851bf97854
                        • Instruction ID: 793ec8e395128184e872d946ddf62033a2612e7d9a5d08c2e125f827f07a5f8f
                        • Opcode Fuzzy Hash: 991d796795e5b6876fbac61f70163761d07ad06e779fb8e2784dbb851bf97854
                        • Instruction Fuzzy Hash: 7051B3B1904201EEDB20AFA598C19AA77A4AF45318F14437FE551BB2C2DB3D8901CF9D
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02194B10 Relevance: 12.1, APIs: 5, Strings: 3, Instructions: 127stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcpy.KERNEL32(?,?), ref: 02194B6B
                        • lstrcpyn.KERNEL32(?,?,0000005C,kernel32.dll), ref: 02194BCF
                        • lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll), ref: 02194C04
                        • lstrlen.KERNEL32(?,0000005D,?), ref: 02194C67
                        • lstrcpy.KERNEL32(?,0000005C), ref: 02194C85
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.363499699.0000000002191000.00000040.00000800.00020000.00000000.sdmp, Offset: 02191000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2191000_hiYc6Vnppc.jbxd
                        Similarity
                        • API ID: lstrcpylstrcpyn$lstrlen
                        • String ID: GetLongPathNameA$\$kernel32.dll
                        • API String ID: 2167663922-1565342463
                        • Opcode ID: d3e61994f5b57b75c37f5e0cc9379b2428793c7ff665cf498462714aeb58ff5e
                        • Instruction ID: 0f79661417b16d018d7a4ede4ed9f12ec4a6ecb12e348387b8e30883fe919c0a
                        • Opcode Fuzzy Hash: d3e61994f5b57b75c37f5e0cc9379b2428793c7ff665cf498462714aeb58ff5e
                        • Instruction Fuzzy Hash: DB415C71A40219BFEF21DAB8CD88BDE77EEAF08310F0404B19519D7240D7759A86CF64
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 021A69D8 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 181fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileA.KERNEL32(00000000,021A6D08,?,\\.\Scsi,C0000000,00000003,00000000,00000003,00000000,00000000,00000000,021A6CDD), ref: 021A6A93
                        • DeviceIoControl.KERNEL32(000000FF,0004D008,0000001C,0000023C,0000001C,0000023C,?,00000000), ref: 021A6B65
                        • CloseHandle.KERNEL32(000000FF,021A6C67,0000023C,0000001C,0000023C,?,00000000,00000000,021A6B92), ref: 021A6B8C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.363499699.0000000002191000.00000040.00000800.00020000.00000000.sdmp, Offset: 02191000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2191000_hiYc6Vnppc.jbxd
                        Similarity
                        • API ID: CloseControlCreateDeviceFileHandle
                        • String ID: SCSIDISK$\\.\SMARTVSD$\\.\Scsi
                        • API String ID: 33631002-4143829331
                        • Opcode ID: 1c5c307cea79cb89b1a7339e879df32e0cb3b22dcc56ba9ea1f8be8b5e5d8771
                        • Instruction ID: 5cab4450dee5c36f9b6a173c39b25455c54216e014080b03a9a0b05db772a94a
                        • Opcode Fuzzy Hash: 1c5c307cea79cb89b1a7339e879df32e0cb3b22dcc56ba9ea1f8be8b5e5d8771
                        • Instruction Fuzzy Hash: 6471B5706843989EEF21DB24CC59F99BBB9EB05714F5580E4E50CAB2D1C3B55E48CF50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0040C811 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0040C7D9: _free.LIBCMT ref: 0040C7FE
                        • _free.LIBCMT ref: 0040C85F
                          • Part of subcall function 00408E1B: HeapFree.KERNEL32(00000000,00000000,?,0040C803,?,00000000,?,?,?,0040C82A,?,00000007,?,?,0040CC50,?), ref: 00408E31
                          • Part of subcall function 00408E1B: GetLastError.KERNEL32(?,?,0040C803,?,00000000,?,?,?,0040C82A,?,00000007,?,?,0040CC50,?,?), ref: 00408E43
                        • _free.LIBCMT ref: 0040C86A
                        • _free.LIBCMT ref: 0040C875
                        • _free.LIBCMT ref: 0040C8C9
                        • _free.LIBCMT ref: 0040C8D4
                        • _free.LIBCMT ref: 0040C8DF
                        • _free.LIBCMT ref: 0040C8EA
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$ErrorFreeHeapLast
                        • String ID:
                        • API String ID: 776569668-0
                        • Opcode ID: dfd30121637da8de457bbdb20e5c8dbb2e13d70f5835f32775482e51a56bcf2e
                        • Instruction ID: 1b54ede2b651037c14262451ea210479eea2756cc1357b2ed54b533ab1923ccb
                        • Opcode Fuzzy Hash: dfd30121637da8de457bbdb20e5c8dbb2e13d70f5835f32775482e51a56bcf2e
                        • Instruction Fuzzy Hash: C1114A31580B05EAD930B7B2CC86FCB77A95F88714F40493FB29AB64D3DF78A5144A94
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004045A4 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetLastError.KERNEL32(?,?,0040459B,0040440C,00403210), ref: 004045B2
                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004045C0
                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004045D9
                        • SetLastError.KERNEL32(00000000,0040459B,0040440C,00403210), ref: 0040462B
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLastValue___vcrt_
                        • String ID:
                        • API String ID: 3852720340-0
                        • Opcode ID: 38c3bb12bb5450d277d9b495d0c79af4792a40a6b9c4ded1da8043f56c201e08
                        • Instruction ID: da6f97795d2dedf0c88609181b2cb75d13fcd367c592a4f4b32682efc7540049
                        • Opcode Fuzzy Hash: 38c3bb12bb5450d277d9b495d0c79af4792a40a6b9c4ded1da8043f56c201e08
                        • Instruction Fuzzy Hash: 67012876118A11AED62436B57DC54972AC4EBD2B76B20133FF710A11E1FF7E8C02A58C
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00404684 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: AdjustPointer
                        • String ID: 0@
                        • API String ID: 1740715915-1855383697
                        • Opcode ID: ed2b68e0b01666af651dda3a1222adcfed941a40fa4bbdeb6bfde3e63676e481
                        • Instruction ID: 996528970bb24515314476948a1fcfaaa719e2c1e2afcf38844c0b47f5924ef3
                        • Opcode Fuzzy Hash: ed2b68e0b01666af651dda3a1222adcfed941a40fa4bbdeb6bfde3e63676e481
                        • Instruction Fuzzy Hash: 2051DEB6600602AFDB299F51D841BABB7A4EF85314F14853FEE01672D1E739EC41CB98
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 021ADBEC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 117libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleA.KERNEL32(netapi32.dll,00000000,021ADD73), ref: 021ADC1D
                        • GetProcAddress.KERNEL32(00000000,Netbios), ref: 021ADC57
                        • FreeLibrary.KERNEL32(00000000,021ADD5D,021ADD56,?,?,netapi32.dll,00000000,021ADD73), ref: 021ADD50
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.363499699.0000000002191000.00000040.00000800.00020000.00000000.sdmp, Offset: 02191000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2191000_hiYc6Vnppc.jbxd
                        Similarity
                        • API ID: AddressFreeHandleLibraryModuleProc
                        • String ID: Netbios$netapi32.dll
                        • API String ID: 4061214504-970706980
                        • Opcode ID: ce876075ff75b28cef43d1c9b467a5ce5b0b11efca26d33a361c7cec64199da0
                        • Instruction ID: daec9cd590483a114e9021c3595e9a4a59d93b20110ffcb639932d7d864d9482
                        • Opcode Fuzzy Hash: ce876075ff75b28cef43d1c9b467a5ce5b0b11efca26d33a361c7cec64199da0
                        • Instruction Fuzzy Hash: 7A412678D88A899EEF25DB70EC607EEBBB2AF47300F4044A5D41553980D7751A85CF91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0040B3AD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON
                        Download Yara Rule
                        Strings
                        • C:\Users\user\Desktop\hiYc6Vnppc.exe, xrefs: 0040B3B2
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: C:\Users\user\Desktop\hiYc6Vnppc.exe
                        • API String ID: 0-1369794819
                        • Opcode ID: 7c18eb401558195c1c73f83feb187478a9ceeda492c63b58accbfde343853383
                        • Instruction ID: 49a3544bafe95d210442d2e85997da1498c24d3020b2ed4bc18ae607f8759688
                        • Opcode Fuzzy Hash: 7c18eb401558195c1c73f83feb187478a9ceeda492c63b58accbfde343853383
                        • Instruction Fuzzy Hash: FB21CF71200605AFDB10AF729C81D6B7768EE50368310863AF954A22D2EB38ED0187ED
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00408EBD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 80COMMONLIBRARYCODE
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: api-ms-$ext-ms-
                        • API String ID: 0-537541572
                        • Opcode ID: 5b28311d8cf7e672d2c943a0488037bb7dc1fdab38b117f1b5bc8fe156f62e07
                        • Instruction ID: 7a791f7703257a9673e31adeae409d1ac703023e236893cbfa9d8064a1f031e4
                        • Opcode Fuzzy Hash: 5b28311d8cf7e672d2c943a0488037bb7dc1fdab38b117f1b5bc8fe156f62e07
                        • Instruction Fuzzy Hash: 3A21F571A05616EFCB22AB349E40A9B36A99F44764F21013BED85FB2D1DF38DC00C5E8
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00407AF2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 31libraryloaderCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00407AA4,?,?,00407A6C,?,?,?), ref: 00407B07
                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00407B1A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressHandleModuleProc
                        • String ID: 0@$CorExitProcess$mscoree.dll
                        • API String ID: 1646373207-3806126223
                        • Opcode ID: 102ba065852f58f522910a8a5a1e393e89d92f248fe033a11f1119d777f7b36d
                        • Instruction ID: 47b293a45a76d09b823b1ae91e4c4efca29ae04e0ff400ddb8b4fa71f5ec9a6e
                        • Opcode Fuzzy Hash: 102ba065852f58f522910a8a5a1e393e89d92f248fe033a11f1119d777f7b36d
                        • Instruction Fuzzy Hash: 04F08231A01618FBCB11AB90DD09FDE7EB9DF44759F114075E400B21A0DB759F40DAD9
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00410B74 Relevance: 7.7, APIs: 5, Instructions: 199COMMON
                        Download Yara Rule
                        APIs
                        • __alloca_probe_16.LIBCMT ref: 00410BF8
                        • __alloca_probe_16.LIBCMT ref: 00410CBE
                        • __freea.LIBCMT ref: 00410D2A
                          • Part of subcall function 00409870: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 004098A2
                        • __freea.LIBCMT ref: 00410D33
                        • __freea.LIBCMT ref: 00410D56
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: __freea$__alloca_probe_16$AllocateHeap
                        • String ID:
                        • API String ID: 1423051803-0
                        • Opcode ID: 5d83a49f99020a6c2f1f17d7b95ee591256166db876b10a0a1a5d36ba3d33650
                        • Instruction ID: 655126f06936f5c72a4aefd8d36d8e0d27d6c3d86f35e3f7ea5601a204fa929a
                        • Opcode Fuzzy Hash: 5d83a49f99020a6c2f1f17d7b95ee591256166db876b10a0a1a5d36ba3d33650
                        • Instruction Fuzzy Hash: E551D67260020AAFDB245F91DC41EFB77A9DB84754F15052AFD04A7251E7BCECC1C6A8
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 021919C8 Relevance: 7.6, APIs: 5, Instructions: 62COMMON
                        Download Yara Rule
                        APIs
                        • RtlEnterCriticalSection.NTDLL(021D8430), ref: 021919F5
                        • LocalFree.KERNEL32(021D8488,021D8430,00000000,02191A9E), ref: 02191A07
                        • LocalFree.KERNEL32(021D8448,00000000,00000000,00008000,021D8488,00000000,02191A9E), ref: 02191A65
                        • RtlLeaveCriticalSection.NTDLL(021D8430), ref: 02191A8E
                        • RtlDeleteCriticalSection.NTDLL(021D8430), ref: 02191A98
                        Memory Dump Source
                        • Source File: 00000000.00000002.363499699.0000000002191000.00000040.00000800.00020000.00000000.sdmp, Offset: 02191000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2191000_hiYc6Vnppc.jbxd
                        Similarity
                        • API ID: CriticalSection$FreeLocal$DeleteEnterLeave
                        • String ID:
                        • API String ID: 3902855382-0
                        • Opcode ID: 9720125e7f1f616986e97ea4448192f1c578a687827e6fa68b361292b5fd21e3
                        • Instruction ID: 6136d9256306e937eaa5b0a0de0b6036c7709ac0cc93a85ba62e5d27345a41b4
                        • Opcode Fuzzy Hash: 9720125e7f1f616986e97ea4448192f1c578a687827e6fa68b361292b5fd21e3
                        • Instruction Fuzzy Hash: DC116D30ACA342FEEF51ABA9A980B2B37E69745748F660850E10DD7540C774B8D2CB35
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0040C770 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _free.LIBCMT ref: 0040C788
                          • Part of subcall function 00408E1B: HeapFree.KERNEL32(00000000,00000000,?,0040C803,?,00000000,?,?,?,0040C82A,?,00000007,?,?,0040CC50,?), ref: 00408E31
                          • Part of subcall function 00408E1B: GetLastError.KERNEL32(?,?,0040C803,?,00000000,?,?,?,0040C82A,?,00000007,?,?,0040CC50,?,?), ref: 00408E43
                        • _free.LIBCMT ref: 0040C79A
                        • _free.LIBCMT ref: 0040C7AC
                        • _free.LIBCMT ref: 0040C7BE
                        • _free.LIBCMT ref: 0040C7D0
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$ErrorFreeHeapLast
                        • String ID:
                        • API String ID: 776569668-0
                        • Opcode ID: dad6c6168b3971448665ef2f8a935c997f56374553b0cea953facc9ac78d0028
                        • Instruction ID: 29e24e347ce0085d4d5b6c3b15b63838021f7943036704dc09b760d8d5d67d71
                        • Opcode Fuzzy Hash: dad6c6168b3971448665ef2f8a935c997f56374553b0cea953facc9ac78d0028
                        • Instruction Fuzzy Hash: 7FF06832540205E7C630DB55EAC1C5B77EAAA84B24754493FF044F76C0CB38FC818A9C
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02199F68 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 143threadCOMMON
                        Download Yara Rule
                        APIs
                        • GetThreadLocale.KERNEL32(?,00000000,0219A12A,?,?,?,?,00000000,00000000,00000000,00000000), ref: 02199F96
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.363499699.0000000002191000.00000040.00000800.00020000.00000000.sdmp, Offset: 02191000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2191000_hiYc6Vnppc.jbxd
                        Similarity
                        • API ID: LocaleThread
                        • String ID: eeee$ggg$yyyy
                        • API String ID: 635194068-1253427255
                        • Opcode ID: b0f62ec0f44cea6b54f629e81721a6321bc82a30cfd2d14962525c2f6cc6aee4
                        • Instruction ID: 88aa4d5452fb52708795c4d7d066dd58ba37c9c3a2a48f25b45d54c83551e039
                        • Opcode Fuzzy Hash: b0f62ec0f44cea6b54f629e81721a6321bc82a30cfd2d14962525c2f6cc6aee4
                        • Instruction Fuzzy Hash: E7412F757C42015FCF15AAB888903BFF29BEF88310F180575E4A2D3340EB25AC4ACEA5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 021B270C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileA.KERNEL32(00000000,C0000000,00000003,00000000,00000004,00000080,00000000,00000000,021B285F,?,00000000,021B287F), ref: 021B2788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.363499699.0000000002191000.00000040.00000800.00020000.00000000.sdmp, Offset: 02191000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2191000_hiYc6Vnppc.jbxd
                        Similarity
                        • API ID: CreateFile
                        • String ID: 158
                        • API String ID: 823142352-3801435587
                        • Opcode ID: 4a5754710b5cb42e20f1372f86a7e42d994d51dae09a10849b8224a39ab6fc0a
                        • Instruction ID: 3ac6c895f13634ea98eb479dc5248e4bc5f4542f09c8a7e2f0a6a3aa30f8fdd5
                        • Opcode Fuzzy Hash: 4a5754710b5cb42e20f1372f86a7e42d994d51dae09a10849b8224a39ab6fc0a
                        • Instruction Fuzzy Hash: 56415D74A80208EFEF22EBA4C841BCDB7B5FF05704F5185B5EA14A7290D774AA89CF54
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00405612 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64COMMONLIBRARYCODE
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: api-ms-
                        • API String ID: 0-2084034818
                        • Opcode ID: 553e1944f630e16c0ff694f55789d1e577a52e57eb29dd21801813c314a8f75b
                        • Instruction ID: e60c6f7fd9fafeb86fe18cfdd4ec20ac643fb849185ca9f617fec69b11f93adc
                        • Opcode Fuzzy Hash: 553e1944f630e16c0ff694f55789d1e577a52e57eb29dd21801813c314a8f75b
                        • Instruction Fuzzy Hash: EE11A732A01A21ABDF225B689C40B9B3798DF45760F650632E919FB2C0D779ED018EDD
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00409FEB Relevance: 6.3, APIs: 4, Instructions: 320COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: _strrchr
                        • String ID:
                        • API String ID: 3213747228-0
                        • Opcode ID: 297e674e151500d86084b6bc3621331759cafdb13f8d23ea8a3a0672e83bc00e
                        • Instruction ID: bf69cb88f5e0cdf71a34dad8a41fc81e23cf7afdb3fb901bfbfe705b051c9f46
                        • Opcode Fuzzy Hash: 297e674e151500d86084b6bc3621331759cafdb13f8d23ea8a3a0672e83bc00e
                        • Instruction Fuzzy Hash: 1FB124729003459FDB11CF68C8417EEBBA5EF55340F1441BBE845BB382D6398D52CB6A
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00412141 Relevance: 6.2, APIs: 4, Instructions: 245COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: __alloca_probe_16__freea
                        • String ID:
                        • API String ID: 1635606685-0
                        • Opcode ID: 3107296534d4435a19ebf4dea142f8843e57c8005995749831b451b9625a2a93
                        • Instruction ID: 2e6e990cfc712b44a6a882a05bf1fc62a1db2ff6d8bbe8fcc7b2aa5530a2482e
                        • Opcode Fuzzy Hash: 3107296534d4435a19ebf4dea142f8843e57c8005995749831b451b9625a2a93
                        • Instruction Fuzzy Hash: 7D81D372D0020AABDF219F658A41EEF7BB59F4A314F18005BED14E7241D6BDCCA1C7A9
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 021C0A14 Relevance: 6.2, APIs: 4, Instructions: 207threadCOMMON
                        Download Yara Rule
                        APIs
                        • SetThreadPriority.KERNEL32(?,0000000F,?,?,?), ref: 021C0AC1
                        • QueryPerformanceCounter.KERNEL32(?,00000000,021C0B48,?,?,?,?), ref: 021C0ADA
                        • QueryPerformanceCounter.KERNEL32(?,?,00000000,021C0B48,?,?,?,?), ref: 021C0B07
                        • SetThreadPriority.KERNEL32(?,7FFFFFFF,021C0B4F,?,?,?,?), ref: 021C0B42
                        Memory Dump Source
                        • Source File: 00000000.00000002.363499699.0000000002191000.00000040.00000800.00020000.00000000.sdmp, Offset: 02191000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2191000_hiYc6Vnppc.jbxd
                        Similarity
                        • API ID: CounterPerformancePriorityQueryThread
                        • String ID:
                        • API String ID: 179279453-0
                        • Opcode ID: 42238edbf2ff0e6d42abb5d254f4de5398036dca04cd4e5681ff94e832dfc5fe
                        • Instruction ID: d6a525cb4fd3a7b1b4a474dda4d9e390493c6700ef43aa531f033d74daa9e54b
                        • Opcode Fuzzy Hash: 42238edbf2ff0e6d42abb5d254f4de5398036dca04cd4e5681ff94e832dfc5fe
                        • Instruction Fuzzy Hash: 1D81BDB9E40218DFCB04DFE8C984ADEBBF6AB49304F21856AD418EB254E7319A458F50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 021C00CC Relevance: 6.1, APIs: 4, Instructions: 91registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExA.ADVAPI32(?,00000000,00000000,00020019,?,00000000,021C01BB), ref: 021C0110
                        • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000,00020019,?,00000000,021C01BB), ref: 021C0142
                        • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?,?,00000000,00000000,?,00000000,?,?,00000000,00000000,00020019), ref: 021C0172
                        • RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,?,?,00000000,00000000,00020019,?,00000000,021C01BB), ref: 021C01A0
                        Memory Dump Source
                        • Source File: 00000000.00000002.363499699.0000000002191000.00000040.00000800.00020000.00000000.sdmp, Offset: 02191000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2191000_hiYc6Vnppc.jbxd
                        Similarity
                        • API ID: QueryValue$CloseOpen
                        • String ID:
                        • API String ID: 1586453840-0
                        • Opcode ID: bdf29311373136b8118ad53f79565cc0a4df9ea689e05c30a0603e8cf273c695
                        • Instruction ID: d116020b3d245ee38f3d2f24aa827a34366343bec458321520d370ade2ec116a
                        • Opcode Fuzzy Hash: bdf29311373136b8118ad53f79565cc0a4df9ea689e05c30a0603e8cf273c695
                        • Instruction Fuzzy Hash: 3531D775A50619BFEF11EBA8CC80EAFB7BEEB49710F504565A514E7240E730EE018B60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0040AC45 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0040B267: _free.LIBCMT ref: 0040B275
                          • Part of subcall function 0040BE22: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,00410D20,?,00000000,00000000), ref: 0040BECE
                        • GetLastError.KERNEL32 ref: 0040ACAD
                        • __dosmaperr.LIBCMT ref: 0040ACB4
                        • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0040ACF3
                        • __dosmaperr.LIBCMT ref: 0040ACFA
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
                        • String ID:
                        • API String ID: 167067550-0
                        • Opcode ID: 9172ec3c6ae770dd49c2917de77819b826084d210957810ef62a47460ac69e8b
                        • Instruction ID: da6b955007121a6bba651cdf27a16814553dc068fb813253fb440f90ca8d7dad
                        • Opcode Fuzzy Hash: 9172ec3c6ae770dd49c2917de77819b826084d210957810ef62a47460ac69e8b
                        • Instruction Fuzzy Hash: BE21D371504705BFEB10AF629C8496B77A9EF54368310863EF855B36D0E738DC21879A
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00408AE0 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetLastError.KERNEL32(?,?,?,00407CD1,?,?,00402ABF,00000000,0041B36C,?,string too long,?,00401ECB,?,004027A2,)'@), ref: 00408AE5
                        • _free.LIBCMT ref: 00408B42
                        • _free.LIBCMT ref: 00408B78
                        • SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,?,00407CD1,?,?,00402ABF,00000000,0041B36C,?,string too long,?,00401ECB), ref: 00408B83
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast_free
                        • String ID:
                        • API String ID: 2283115069-0
                        • Opcode ID: 0af373db9932830809188551db6b7d49dccb60e0b9b41aa442febf19644c7272
                        • Instruction ID: a91eafa9eb8c65f739ed9f1b0d2f7165d69771ab74e34c8b4e7360ee4ccfb059
                        • Opcode Fuzzy Hash: 0af373db9932830809188551db6b7d49dccb60e0b9b41aa442febf19644c7272
                        • Instruction Fuzzy Hash: 0B114CB2340509BAD71067769EC6EAB316DABC4778724033FF694B62D2DE3CAC16911C
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00408C37 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetLastError.KERNEL32(?,00000000,?,00408DB0,004098B3,?,?,00402CA5,00000000,?,0040244C,00000000,?,00401D59,00000000), ref: 00408C3C
                        • _free.LIBCMT ref: 00408C99
                        • _free.LIBCMT ref: 00408CCF
                        • SetLastError.KERNEL32(00000000,00000006,000000FF,?,00000000,?,00408DB0,004098B3,?,?,00402CA5,00000000,?,0040244C,00000000), ref: 00408CDA
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast_free
                        • String ID:
                        • API String ID: 2283115069-0
                        • Opcode ID: bb4c3524b6671b9505c4bfebf6052633fdac9e2cab3770c0c275643530338323
                        • Instruction ID: d8b0c5c3e2ca81d1329aa52abaa76473770c9bce7d22a6d20f43c58d7616cf92
                        • Opcode Fuzzy Hash: bb4c3524b6671b9505c4bfebf6052633fdac9e2cab3770c0c275643530338323
                        • Instruction Fuzzy Hash: 5011297130A2057AF71026769EC9EAB2569ABC4378724023FF594B62D1DE398C15612C
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0219D018 Relevance: 6.1, APIs: 4, Instructions: 69registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExA.ADVAPI32(?,00000000,00000000,00020019,?), ref: 0219D03E
                        • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000,00020019,?), ref: 0219D06C
                        • RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000003,?,?,?,00000000,00000000,?,00000000,?,?,00000000,00000000,00020019), ref: 0219D09C
                        • RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,?,?,00000000,00000000,00020019,?), ref: 0219D0A8
                        Memory Dump Source
                        • Source File: 00000000.00000002.363499699.0000000002191000.00000040.00000800.00020000.00000000.sdmp, Offset: 02191000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2191000_hiYc6Vnppc.jbxd
                        Similarity
                        • API ID: QueryValue$CloseOpen
                        • String ID:
                        • API String ID: 1586453840-0
                        • Opcode ID: 0408de3088738fd8eff5748714d264a7e372c784926f405a6a91d754d5241bc3
                        • Instruction ID: fc34471cb8262dfe230515b2cdb92aa8ec60bf21cd77743fa09386a27ffd050d
                        • Opcode Fuzzy Hash: 0408de3088738fd8eff5748714d264a7e372c784926f405a6a91d754d5241bc3
                        • Instruction Fuzzy Hash: AC11BD76E40118BFDF10EAA9DC84FEEB7BDEB04210F044566BA14E7240E7709A008BA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02199EB8 Relevance: 6.0, APIs: 4, Instructions: 50threadCOMMON
                        Download Yara Rule
                        APIs
                        • GetThreadLocale.KERNEL32(?,00000000,02199F4F,?,?,00000000), ref: 02199ED0
                        • GetThreadLocale.KERNEL32(00000000,00000004,00000000,02199F4F,?,?,00000000), ref: 02199F00
                        • GetThreadLocale.KERNEL32(00000000,00000003,Function_00008E04,00000000,00000000,00000004,00000000,02199F4F,?,?,00000000), ref: 02199F29
                        • EnumCalendarInfoA.KERNEL32(Function_00008E40,00000000,00000000,00000003), ref: 02199F34
                        Memory Dump Source
                        • Source File: 00000000.00000002.363499699.0000000002191000.00000040.00000800.00020000.00000000.sdmp, Offset: 02191000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2191000_hiYc6Vnppc.jbxd
                        Similarity
                        • API ID: LocaleThread$CalendarEnumInfo
                        • String ID:
                        • API String ID: 1139405593-0
                        • Opcode ID: 83a8c7383970de2e5428e2a31aed99e1b0ea7eda58d3115ce1a623bd7fa6faea
                        • Instruction ID: d485b5d18163ebf3a215f867b1869ac46981bdb499130bd477be21160a8d0a3e
                        • Opcode Fuzzy Hash: 83a8c7383970de2e5428e2a31aed99e1b0ea7eda58d3115ce1a623bd7fa6faea
                        • Instruction Fuzzy Hash: 1201F2717C4248AFFF11AB748D12F6AB75EDB86B20F200164F500A66C0E7349E018AA8
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00412467 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • WriteConsoleW.KERNEL32(00000000,0000001B,00000000,00000000,00000000,?,00411517,00000000,00000001,00000000,00000000,?,0040DE5A,?,0000000F,00000000), ref: 0041247E
                        • GetLastError.KERNEL32(?,00411517,00000000,00000001,00000000,00000000,?,0040DE5A,?,0000000F,00000000,?,00000000,?,0040E3A6,?), ref: 0041248A
                          • Part of subcall function 00412450: CloseHandle.KERNEL32(FFFFFFFE,0041249A,?,00411517,00000000,00000001,00000000,00000000,?,0040DE5A,?,0000000F,00000000,?,00000000), ref: 00412460
                        • ___initconout.LIBCMT ref: 0041249A
                          • Part of subcall function 00412412: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00412441,00411504,00000000,?,0040DE5A,?,0000000F,00000000,?), ref: 00412425
                        • WriteConsoleW.KERNEL32(00000000,0000001B,00000000,00000000,?,00411517,00000000,00000001,00000000,00000000,?,0040DE5A,?,0000000F,00000000,?), ref: 004124AF
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                        • String ID:
                        • API String ID: 2744216297-0
                        • Opcode ID: 154d22163482ac2e1cee05457185874bc8b07cdd1f4d63705a76896d0c1d751a
                        • Instruction ID: 7e3763eda41dce19ce67d731735d68b7e6a9f15119974591a5522d454736ef8f
                        • Opcode Fuzzy Hash: 154d22163482ac2e1cee05457185874bc8b07cdd1f4d63705a76896d0c1d751a
                        • Instruction Fuzzy Hash: 54F01C37400128BBCF226FD1DD04ACA3F66FB4C3A4F458021FA08D5120C6768C60EB98
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004081DC Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                        Download Yara Rule
                        APIs
                        • _free.LIBCMT ref: 004081E5
                          • Part of subcall function 00408E1B: HeapFree.KERNEL32(00000000,00000000,?,0040C803,?,00000000,?,?,?,0040C82A,?,00000007,?,?,0040CC50,?), ref: 00408E31
                          • Part of subcall function 00408E1B: GetLastError.KERNEL32(?,?,0040C803,?,00000000,?,?,?,0040C82A,?,00000007,?,?,0040CC50,?,?), ref: 00408E43
                        • _free.LIBCMT ref: 004081F8
                        • _free.LIBCMT ref: 00408209
                        • _free.LIBCMT ref: 0040821A
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: _free$ErrorFreeHeapLast
                        • String ID:
                        • API String ID: 776569668-0
                        • Opcode ID: 89843c78b46ecbdfd6f7dcce1ee1ac36033d748c6d14e1dc2bb597d032026490
                        • Instruction ID: 749b8829db4eaaf99a6bd23986dc91dba5821a0a1ab3b060ddd4f8272a56a8ff
                        • Opcode Fuzzy Hash: 89843c78b46ecbdfd6f7dcce1ee1ac36033d748c6d14e1dc2bb597d032026490
                        • Instruction Fuzzy Hash: F6E0BFF5C05160AACB11AF15FE414C63B61EBC4764701A43EF450626B6CA390562DBCD
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004072A3 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: C:\Users\user\Desktop\hiYc6Vnppc.exe
                        • API String ID: 0-1369794819
                        • Opcode ID: 91219cbde1be2c42f593788d6fb92af30ee0cdbbdd0a13273b995a418b2f9f85
                        • Instruction ID: bd43cf828432085d93917b06e8555d72da317386a575ff5f0cffdaaf06698e0a
                        • Opcode Fuzzy Hash: 91219cbde1be2c42f593788d6fb92af30ee0cdbbdd0a13273b995a418b2f9f85
                        • Instruction Fuzzy Hash: F24194B0E04214ABDB11DF9A9C8199FBBB8EB84310B10407BFC04F7291D778AE01D799
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00404C80 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • RtlEncodePointer.NTDLL(00000000), ref: 00404CA5
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: EncodePointer
                        • String ID: MOC$RCC
                        • API String ID: 2118026453-2084237596
                        • Opcode ID: a78bb005423d4d1483988eda407080e485ae25ecc85c95642cd84746d98321b7
                        • Instruction ID: d45a07652d828b7dccaa433c5f59063f4c2df5354e8bc583bc59cd699ba6929b
                        • Opcode Fuzzy Hash: a78bb005423d4d1483988eda407080e485ae25ecc85c95642cd84746d98321b7
                        • Instruction Fuzzy Hash: 74415BB1900209EFDF15DF94CD81AEE7BB5BF88304F15806AFA04B7291D3399A51DB54
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02198980 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74threadCOMMON
                        Download Yara Rule
                        APIs
                        • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,02198A5E), ref: 02198A06
                        • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,02198A5E), ref: 02198A0C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.363499699.0000000002191000.00000040.00000800.00020000.00000000.sdmp, Offset: 02191000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2191000_hiYc6Vnppc.jbxd
                        Similarity
                        • API ID: DateFormatLocaleThread
                        • String ID: yyyy
                        • API String ID: 3303714858-3145165042
                        • Opcode ID: 8161631ac958d1d2040fac267f292d0c782dd74c87e46f67689065c95e7a2906
                        • Instruction ID: fb78782a4e001132c05409d39524194f3e09838e60df0fa3afe17091a8fabd17
                        • Opcode Fuzzy Hash: 8161631ac958d1d2040fac267f292d0c782dd74c87e46f67689065c95e7a2906
                        • Instruction Fuzzy Hash: CB21A178680208AFDF15EFA8C885AAEB3B9EF49710F4200A5F915E7751DB30DE40CB65
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 021B70E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                        Download Yara Rule
                        APIs
                        • RtlEnterCriticalSection.NTDLL(021E4DE4), ref: 021B70F3
                        • RtlLeaveCriticalSection.NTDLL(021E4DE4), ref: 021B7169
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.363499699.0000000002191000.00000040.00000800.00020000.00000000.sdmp, Offset: 02191000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2191000_hiYc6Vnppc.jbxd
                        Similarity
                        • API ID: CriticalSection$EnterLeave
                        • String ID: 181
                        • API String ID: 3168844106-523153041
                        • Opcode ID: 457650890ca7035595c9b4025ec706bcbcdf7dce2c73efecd60fbd1f438fa8ab
                        • Instruction ID: 453227d7fdeed3ee19ab1b142f0dffcfbac589f20413c0fcbca7c6eb9bd6df74
                        • Opcode Fuzzy Hash: 457650890ca7035595c9b4025ec706bcbcdf7dce2c73efecd60fbd1f438fa8ab
                        • Instruction Fuzzy Hash: DE01C0722807469EDF32EF69C880AC7B7FEAF80304B00892AE54647144D761F90A8BB0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004091C2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON
                        Download Yara Rule
                        APIs
                        • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?), ref: 00409202
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: CountCriticalInitializeSectionSpin
                        • String ID: 0@$InitializeCriticalSectionEx
                        • API String ID: 2593887523-348943516
                        • Opcode ID: 820523cb8882581daeb4233bf1cf00565923cc79475d46bb87ca62abc0df9ff3
                        • Instruction ID: ea175ca7c0054d3ecf465842f4c2b5daf9089b8f728e32c464686bd57bc6b6ed
                        • Opcode Fuzzy Hash: 820523cb8882581daeb4233bf1cf00565923cc79475d46bb87ca62abc0df9ff3
                        • Instruction Fuzzy Hash: A8E0923168021DF7CF112F51DC0AEDE3F15DF84B61B108036FD18291A2CB768960A7C8
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 004090C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22memoryCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.363201451.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.363188412.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363260298.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363297142.0000000000451000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.363308479.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_hiYc6Vnppc.jbxd
                        Yara matches
                        Similarity
                        • API ID: Alloc
                        • String ID: 0@$FlsAlloc
                        • API String ID: 2773662609-1191926940
                        • Opcode ID: c48f049adb390857d296c21d3dc04b2ddc32ee604f02374522663f94a0598c6f
                        • Instruction ID: f4fdd5adffcf4d16a9820a1f1a41caa8e6a2c58ce2c09c421f3608c8c531de37
                        • Opcode Fuzzy Hash: c48f049adb390857d296c21d3dc04b2ddc32ee604f02374522663f94a0598c6f
                        • Instruction Fuzzy Hash: CAE0CD31B81715F7C6113751EC0AFDE7D148780B60F158033F904651D2DEB98D4151DD
                        Uniqueness

                        Uniqueness Score: -1.00%