Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ZtQY1K6aTi.exe

Overview

General Information

Sample name:ZtQY1K6aTi.exe
renamed because original name is a hash value
Original sample name:7f991bd7699126d6cca12241de7e7c44.exe
Analysis ID:1435778
MD5:7f991bd7699126d6cca12241de7e7c44
SHA1:63829ce5fcb6616b08d81fb456e92fcd1cac14c9
SHA256:441bfb5e8bc07201c4c44de203b37c3ee9ab8d50dcfe025d7757fb7097c61156
Tags:32exetrojan
Infos:

Detection

RisePro Stealer
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected RisePro Stealer
Adds extensions / path to Windows Defender exclusion list (Registry)
Contains functionality to inject threads in other processes
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Exclude list of file types from scheduled, custom, and real-time scanning
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found stalling execution ending in API Sleep call
Machine Learning detection for sample
Modifies Group Policy settings
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Windows Defender Exclusions Added - Registry
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

  • System is w10x64
  • ZtQY1K6aTi.exe (PID: 6788 cmdline: "C:\Users\user\Desktop\ZtQY1K6aTi.exe" MD5: 7F991BD7699126D6CCA12241DE7E7C44)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: ZtQY1K6aTi.exe PID: 6788JoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security

    Sigma Signatures

    Sigma detected: Windows Defender Exclusions Added - Registry
    Source: Registry Key setAuthor: Christian Burkard (Nextron Systems): Data: Details: 1, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\ZtQY1K6aTi.exe, ProcessId: 6788, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{6BB86D62-6074-413F-AC7A-F6E5212F3B22}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Exclusions_Extensions

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for submitted file
    Source: ZtQY1K6aTi.exeReversingLabs: Detection: 60%
    Source: ZtQY1K6aTi.exeVirustotal: Detection: 66%Perma Link
    Machine Learning detection for sample
    Source: ZtQY1K6aTi.exeJoe Sandbox ML: detected
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_00263EB0 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,0_2_00263EB0
    Source: ZtQY1K6aTi.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

    Change of critical system settings

    barindex
    Adds extensions / path to Windows Defender exclusion list (Registry)
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{6BB86D62-6074-413F-AC7A-F6E5212F3B22}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Exclusions_ExtensionsJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{6BB86D62-6074-413F-AC7A-F6E5212F3B22}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions exeJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001D2012 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,0_2_001D2012
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_0027D2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,0_2_0027D2B0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002633B0 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_002633B0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002313F0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_002313F0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_00231A60 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,0_2_00231A60
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_00283B20 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,0_2_00283B20
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001EFC1D FindFirstFileExW,0_2_001EFC1D
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001D1F8C FindClose,FindFirstFileExW,GetLastError,0_2_001D1F8C
    Source: global trafficTCP traffic: 192.168.2.5:49705 -> 87.120.84.5:50500
    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.5
    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.5
    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.5
    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.5
    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.5
    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.5
    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.5
    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.5
    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.5
    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.5
    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.5
    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.5
    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.5
    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.5
    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.5
    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.5
    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.5
    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.5
    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.5
    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.5
    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.5
    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.5
    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.5
    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.5
    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.5
    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.5
    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.5
    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.5
    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.5
    Source: unknownTCP traffic detected without corresponding DNS query: 87.120.84.5
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001B8DC0 recv,0_2_001B8DC0
    Source: ZtQY1K6aTi.exeString found in binary or memory: http://www.winimage.com/zLibDll
    Source: ZtQY1K6aTi.exeString found in binary or memory: https://ipinfo.io/
    Source: ZtQY1K6aTi.exeString found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
    Source: ZtQY1K6aTi.exe, 00000000.00000002.3254044242.0000000000CDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORT
    Source: ZtQY1K6aTi.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002833A0 GdiplusStartup,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,DeleteObject,GdipDisposeImage,DeleteObject,ReleaseDC,GdiplusShutdown,0_2_002833A0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeFile created: C:\Windows\SysWOW64\GroupPolicy\gpt.iniJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeFile created: C:\Windows\System32\GroupPolicy\MachineJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeFile created: C:\Windows\System32\GroupPolicy\UserJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeFile created: C:\Windows\System32\GroupPolicy\Machine\Registry.polJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeFile created: C:\Windows\System32\GroupPolicy\GPT.INIJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002709B00_2_002709B0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001F95880_2_001F9588
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001E001D0_2_001E001D
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002E40A00_2_002E40A0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002980800_2_00298080
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002D20C00_2_002D20C0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_0022E1200_2_0022E120
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002221000_2_00222100
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002D81A00_2_002D81A0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002361D00_2_002361D0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002A42200_2_002A4220
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002B42200_2_002B4220
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002182000_2_00218200
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001AA2C00_2_001AA2C0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_0028A2D00_2_0028A2D0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001E035F0_2_001E035F
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002903500_2_00290350
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_0027C3E00_2_0027C3E0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002463D00_2_002463D0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002A05200_2_002A0520
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001F47AD0_2_001F47AD
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_0026E8000_2_0026E800
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002DC8D00_2_002DC8D0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001DA9180_2_001DA918
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001DC9500_2_001DC950
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002509B00_2_002509B0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002749B00_2_002749B0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_0024E9E00_2_0024E9E0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_0026CAA00_2_0026CAA0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_00294AA00_2_00294AA0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_00238A800_2_00238A80
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002E4AE00_2_002E4AE0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002D6B300_2_002D6B30
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_00230BA00_2_00230BA0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_00284B900_2_00284B90
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001F8BA00_2_001F8BA0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_0023CBF00_2_0023CBF0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_00294CD00_2_00294CD0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_0028CD200_2_0028CD20
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001F8E200_2_001F8E20
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_00268E700_2_00268E70
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_00246EA00_2_00246EA0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_0023AEC00_2_0023AEC0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_0024AED00_2_0024AED0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002BAF300_2_002BAF30
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_00294F700_2_00294F70
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_0028CFC00_2_0028CFC0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002950700_2_00295070
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002A10400_2_002A1040
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_0022D0B00_2_0022D0B0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002970E00_2_002970E0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002411300_2_00241130
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002E31600_2_002E3160
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001D71900_2_001D7190
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002332B00_2_002332B0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002DF2800_2_002DF280
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_0025F2D00_2_0025F2D0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_0029D3200_2_0029D320
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_0029F3600_2_0029F360
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_0025D4500_2_0025D450
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002934500_2_00293450
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002BF4500_2_002BF450
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002A54A00_2_002A54A0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002194900_2_00219490
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_0028B5000_2_0028B500
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001CF5700_2_001CF570
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002AF5E00_2_002AF5E0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002A76300_2_002A7630
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_0021F7300_2_0021F730
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_0025B7700_2_0025B770
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_0027B7E00_2_0027B7E0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002977F00_2_002977F0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_0028D7D00_2_0028D7D0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002558800_2_00255880
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001AB8E00_2_001AB8E0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002B18D00_2_002B18D0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002959600_2_00295960
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_00231A600_2_00231A60
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001EDA740_2_001EDA74
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002E5A400_2_002E5A40
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_0027DA800_2_0027DA80
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_0028FBA00_2_0028FBA0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_00223C3D0_2_00223C3D
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_00297CA00_2_00297CA0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001A9C900_2_001A9C90
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002E3CF00_2_002E3CF0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_00247D200_2_00247D20
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_00243D700_2_00243D70
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_00241E400_2_00241E40
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_00295EB00_2_00295EB0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_00233ED00_2_00233ED0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_0029DF200_2_0029DF20
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_00281F800_2_00281F80
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_0028BFC00_2_0028BFC0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: String function: 001BACE0 appears 146 times
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: String function: 001A2CF0 appears 110 times
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: String function: 001D4370 appears 60 times
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: String function: 002E4890 appears 102 times
    Source: ZtQY1K6aTi.exe, 00000000.00000000.1976300985.0000000000327000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs ZtQY1K6aTi.exe
    Source: ZtQY1K6aTi.exe, 00000000.00000002.3254255271.00000000046F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs ZtQY1K6aTi.exe
    Source: ZtQY1K6aTi.exeBinary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs ZtQY1K6aTi.exe
    Source: ZtQY1K6aTi.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: classification engineClassification label: mal96.troj.evad.winEXE@1/3@0/1
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002E23D0 GetLastError,GetVersionExA,FormatMessageW,LocalFree,FormatMessageA,0_2_002E23D0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002E2160 GetVersionExA,CreateFileW,CreateFileA,GetDiskFreeSpaceW,GetDiskFreeSpaceA,0_2_002E2160
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_0022CB90 CreateDirectoryA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_0022CB90
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002709B0 CoInitializeEx,CoCreateInstance,RegCreateKeyExA,RegSetValueExA,RegCreateKeyExA,RegSetValueExA,RegOpenKeyExA,RegSetValueExA,RegSetValueExA,RegOpenKeyExA,RegCreateKeyExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegCloseKey,CoUninitialize,0_2_002709B0
    Source: ZtQY1K6aTi.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeFile read: C:\Windows\SysWOW64\GroupPolicy\gpt.iniJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: ZtQY1K6aTi.exe, ZtQY1K6aTi.exe, 00000000.00000000.1976264611.00000000002FA000.00000002.00000001.01000000.00000003.sdmp, ZtQY1K6aTi.exe, 00000000.00000002.3254255271.00000000046F2000.00000004.00000020.00020000.00000000.sdmp, ZtQY1K6aTi.exe, 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
    Source: ZtQY1K6aTi.exe, 00000000.00000000.1976264611.00000000002FA000.00000002.00000001.01000000.00000003.sdmp, ZtQY1K6aTi.exe, 00000000.00000002.3254255271.00000000046F2000.00000004.00000020.00020000.00000000.sdmp, ZtQY1K6aTi.exe, 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
    Source: ZtQY1K6aTi.exeReversingLabs: Detection: 60%
    Source: ZtQY1K6aTi.exeVirustotal: Detection: 66%
    Source: ZtQY1K6aTi.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
    Source: ZtQY1K6aTi.exeString found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll\*value
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeFile read: C:\Users\user\Desktop\ZtQY1K6aTi.exeJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeSection loaded: rstrtmgr.dllJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeSection loaded: resourcepolicyclient.dllJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeSection loaded: dxcore.dllJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeSection loaded: gpedit.dllJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeSection loaded: activeds.dllJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeSection loaded: dssec.dllJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeSection loaded: dsuiext.dllJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeSection loaded: adsldpc.dllJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeSection loaded: dsrole.dllJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeSection loaded: logoncli.dllJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeSection loaded: ntdsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeSection loaded: authz.dllJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA502722-A23D-11D1-A7D3-0000F87571E3}\InProcServer32Jump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeFile written: C:\Windows\SysWOW64\GroupPolicy\gpt.iniJump to behavior
    Source: ZtQY1K6aTi.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
    Source: ZtQY1K6aTi.exeStatic file information: File size 1672704 > 1048576
    Source: ZtQY1K6aTi.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x158c00
    Source: ZtQY1K6aTi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
    Source: ZtQY1K6aTi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
    Source: ZtQY1K6aTi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
    Source: ZtQY1K6aTi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: ZtQY1K6aTi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
    Source: ZtQY1K6aTi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
    Source: ZtQY1K6aTi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: ZtQY1K6aTi.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
    Source: ZtQY1K6aTi.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
    Source: ZtQY1K6aTi.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
    Source: ZtQY1K6aTi.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
    Source: ZtQY1K6aTi.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001F9588 LoadLibraryA,GetProcAddress,MessageBoxA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetProcessId,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,SetThreadExecutionState,SetThreadExecutionState,SetThreadExecutionState,0_2_001F9588
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001D3F49 push ecx; ret 0_2_001D3F5C
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_0028A2D0 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0028A2D0

    Malware Analysis System Evasion

    barindex
    Found API chain indicative of sandbox detection
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeSandbox detection routine: GetCursorPos, DecisionNode, Sleepgraph_0-90433
    Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeEvasive API call chain: GetPEB, DecisionNodes, Sleepgraph_0-90435
    Found stalling execution ending in API Sleep call
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeStalling execution: Execution stalls by calling Sleepgraph_0-90366
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos,0_2_001FDA50
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeWindow / User API: threadDelayed 6362Jump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-90363
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-90396
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeAPI coverage: 7.2 %
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002E1D30 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 002E1D71h0_2_002E1D30
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001D2012 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,0_2_001D2012
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_0027D2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,0_2_0027D2B0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002633B0 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_002633B0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002313F0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_002313F0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_00231A60 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,0_2_00231A60
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_00283B20 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,0_2_00283B20
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001EFC1D FindFirstFileExW,0_2_001EFC1D
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001D1F8C FindClose,FindFirstFileExW,GetLastError,0_2_001D1F8C
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001F80C8 VirtualQuery,GetSystemInfo,0_2_001F80C8
    Source: ZtQY1K6aTi.exe, 00000000.00000002.3254044242.0000000000D40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: ZtQY1K6aTi.exe, 00000000.00000002.3254044242.0000000000D40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllnn
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001D4174 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_001D4174
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001FA082 CreateThread,FindCloseChangeNotification,Sleep,GetTempPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,OutputDebugStringA,CreateMutexA,GetLastError,Sleep,Sleep,Sleep,Sleep,shutdown,closesocket,Sleep,0_2_001FA082
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001F9588 LoadLibraryA,GetProcAddress,MessageBoxA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetProcessId,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,SetThreadExecutionState,SetThreadExecutionState,SetThreadExecutionState,0_2_001F9588
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001FA082 mov eax, dword ptr fs:[00000030h]0_2_001FA082
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001FA082 mov ecx, dword ptr fs:[00000030h]0_2_001FA082
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002709B0 mov eax, dword ptr fs:[00000030h]0_2_002709B0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002709B0 mov eax, dword ptr fs:[00000030h]0_2_002709B0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002709B0 mov eax, dword ptr fs:[00000030h]0_2_002709B0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002709B0 mov eax, dword ptr fs:[00000030h]0_2_002709B0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002709B0 mov eax, dword ptr fs:[00000030h]0_2_002709B0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002709B0 mov eax, dword ptr fs:[00000030h]0_2_002709B0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002709B0 mov eax, dword ptr fs:[00000030h]0_2_002709B0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002709B0 mov eax, dword ptr fs:[00000030h]0_2_002709B0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002709B0 mov eax, dword ptr fs:[00000030h]0_2_002709B0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002709B0 mov eax, dword ptr fs:[00000030h]0_2_002709B0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002709B0 mov eax, dword ptr fs:[00000030h]0_2_002709B0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002709B0 mov eax, dword ptr fs:[00000030h]0_2_002709B0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001F9588 mov eax, dword ptr fs:[00000030h]0_2_001F9588
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001F9588 mov eax, dword ptr fs:[00000030h]0_2_001F9588
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001F9588 mov eax, dword ptr fs:[00000030h]0_2_001F9588
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001F9588 mov ecx, dword ptr fs:[00000030h]0_2_001F9588
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001FDA50 mov eax, dword ptr fs:[00000030h]0_2_001FDA50
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001FDA50 mov eax, dword ptr fs:[00000030h]0_2_001FDA50
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_00264130 mov eax, dword ptr fs:[00000030h]0_2_00264130
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_00270420 mov ecx, dword ptr fs:[00000030h]0_2_00270420
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001FA61F mov eax, dword ptr fs:[00000030h]0_2_001FA61F
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001FA61F mov eax, dword ptr fs:[00000030h]0_2_001FA61F
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001FA61F mov eax, dword ptr fs:[00000030h]0_2_001FA61F
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002332B0 mov eax, dword ptr fs:[00000030h]0_2_002332B0
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_00273630 mov eax, dword ptr fs:[00000030h]0_2_00273630
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_00265A70 mov eax, dword ptr fs:[00000030h]0_2_00265A70
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_00286E20 GetLastError,GetModuleHandleA,GetProcAddress,GetProcessHeap,HeapAlloc,HeapFree,HeapAlloc,HeapFree,0_2_00286E20
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001D4174 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_001D4174
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001D4301 SetUnhandledExceptionFilter,0_2_001D4301
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001D450D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_001D450D
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001D8A54 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_001D8A54

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Contains functionality to inject threads in other processes
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_0026C630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,0_2_0026C630
    Disables Windows Defender (deletes autostart)
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeRegistry value deleted: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{6BB86D62-6074-413F-AC7A-F6E5212F3B22}Machine\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpywareJump to behavior
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_00273340 cpuid 0_2_00273340
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_001F2B48
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: GetLocaleInfoW,0_2_001F2D4D
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: EnumSystemLocalesW,0_2_001F2DF4
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: EnumSystemLocalesW,0_2_001F2E3F
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: EnumSystemLocalesW,0_2_001F2EDA
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_001F2F65
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: GetLocaleInfoW,0_2_001F31B8
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: EnumSystemLocalesW,0_2_001EB1A3
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_001F32E1
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: GetLocaleInfoW,0_2_001F33E7
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_001F34BD
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: GetLocaleInfoW,0_2_001EB726
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_0027DA80
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: GetLocaleInfoEx,FormatMessageA,0_2_001D1D84
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001D43B5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_001D43B5
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_0026E800 OutputDebugStringA,CopyFileA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,CopyFileA,GetUserNameA,ShellExecuteA,0_2_0026E800
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_001ED11E GetTimeZoneInformation,0_2_001ED11E
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeCode function: 0_2_002E2070 GetVersionExA,DeleteFileW,GetFileAttributesW,GetLastError,Sleep,DeleteFileA,GetFileAttributesA,GetLastError,Sleep,0_2_002E2070

    Lowering of HIPS / PFW / Operating System Security Settings

    barindex
    Disable Windows Defender real time protection (registry)
    Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{6BB86D62-6074-413F-AC7A-F6E5212F3B22}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\ExclusionsRegistry value created: Exclusions_Extensions 1Jump to behavior
    Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{6BB86D62-6074-413F-AC7A-F6E5212F3B22}Machine\SOFTWARE\Policies\Microsoft\Windows DefenderRegistry value created: DisableAntiSpyware 1Jump to behavior
    Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{6BB86D62-6074-413F-AC7A-F6E5212F3B22}Machine\SOFTWARE\Policies\Microsoft\Windows DefenderRegistry value created: DisableRoutinelyTakingAction 1Jump to behavior
    Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{6BB86D62-6074-413F-AC7A-F6E5212F3B22}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableBehaviorMonitoring 1Jump to behavior
    Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{6BB86D62-6074-413F-AC7A-F6E5212F3B22}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableOnAccessProtection 1Jump to behavior
    Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{6BB86D62-6074-413F-AC7A-F6E5212F3B22}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableScanOnRealtimeEnable 1Jump to behavior
    Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{6BB86D62-6074-413F-AC7A-F6E5212F3B22}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
    Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{6BB86D62-6074-413F-AC7A-F6E5212F3B22}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
    Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{6BB86D62-6074-413F-AC7A-F6E5212F3B22}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRawWriteNotification 1Jump to behavior
    Exclude list of file types from scheduled, custom, and real-time scanning
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeRegistry value created: Exclusions_Extensions 1Jump to behavior
    Modifies Group Policy settings
    Source: C:\Users\user\Desktop\ZtQY1K6aTi.exeFile written: C:\Windows\System32\GroupPolicy\GPT.INIJump to behavior

    Stealing of Sensitive Information

    barindex
    Yara detected RisePro Stealer
    Source: Yara matchFile source: Process Memory Space: ZtQY1K6aTi.exe PID: 6788, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Yara detected RisePro Stealer
    Source: Yara matchFile source: Process Memory Space: ZtQY1K6aTi.exe PID: 6788, type: MEMORYSTR

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
    Command and Scripting Interpreter    		1
    DLL Side-Loading    		1
    Process Injection    		1
    Masquerading    		OS Credential Dumping12
    System Time Discovery    		Remote Services1
    Screen Capture    		2
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts12
    Native API    		Boot or Logon Initialization Scripts1
    DLL Side-Loading    		1
    Virtualization/Sandbox Evasion    		LSASS Memory141
    Security Software Discovery    		Remote Desktop Protocol1
    Archive Collected Data    		1
    Non-Standard Port    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
    Bypass User Account Control    		5
    Disable or Modify Tools    		Security Account Manager1
    Virtualization/Sandbox Evasion    		SMB/Windows Admin SharesData from Network Shared Drive1
    Ingress Tool Transfer    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Process Injection    		NTDS1
    Process Discovery    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Deobfuscate/Decode Files or Information    		LSA Secrets1
    Application Window Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
    Obfuscated Files or Information    		Cached Domain Credentials1
    Account Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
    DLL Side-Loading    		DCSync1
    System Owner/User Discovery    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
    Bypass User Account Control    		Proc Filesystem3
    File and Directory Discovery    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow25
    System Information Discovery    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    ZtQY1K6aTi.exe61%ReversingLabsWin32.Spyware.Risepro
    ZtQY1K6aTi.exe67%VirustotalBrowse
    ZtQY1K6aTi.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dllZtQY1K6aTi.exefalse
      		high
      http://www.winimage.com/zLibDllZtQY1K6aTi.exefalse
        		high
        https://t.me/RiseProSUPPORTZtQY1K6aTi.exe, 00000000.00000002.3254044242.0000000000CDE000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          https://ipinfo.io/ZtQY1K6aTi.exefalse
            		high
            https://www.maxmind.com/en/locate-my-ip-addressZtQY1K6aTi.exefalse
              		high

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              87.120.84.5
              		unknownBulgaria
              		51189SHARCOM-ASBGfalse

              General Information

              Joe Sandbox version:40.0.0 Tourmaline
              Analysis ID:1435778
              Start date and time:2024-05-03 06:06:08 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 4m 49s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:7
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:ZtQY1K6aTi.exe
              renamed because original name is a hash value
              Original Sample Name:7f991bd7699126d6cca12241de7e7c44.exe
              Detection:MAL
              Classification:mal96.troj.evad.winEXE@1/3@0/1
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 95%
              • Number of executed functions: 21
              • Number of non-executed functions: 89
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Report size exceeded maximum capacity and may have missing disassembly code.
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              SHARCOM-ASBGSig.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
              • 87.120.84.140
              http://87.120.84.22Get hashmaliciousUnknownBrowse
              • 87.120.84.22
              Browser Update.jsGet hashmaliciousBitRAT, RHADAMANTHYSBrowse
              • 87.120.84.233
              qqeng.pdf.lnkGet hashmaliciousRHADAMANTHYSBrowse
              • 87.120.84.233
              qqeng.exeGet hashmaliciousRHADAMANTHYSBrowse
              • 87.120.84.233
              W57eRMWUqG.exeGet hashmaliciousAmadey, PureLog StealerBrowse
              • 87.120.84.156
              93GwwLKH1N.exeGet hashmaliciousAmadey, PureLog StealerBrowse
              • 87.120.84.156
              ChromeSetup.exeGet hashmaliciousRHADAMANTHYSBrowse
              • 87.120.84.233
              iSbEfOEmv8.exeGet hashmaliciousRHADAMANTHYSBrowse
              • 87.120.84.233
              Midjourney.exeGet hashmaliciousRHADAMANTHYSBrowse
              • 87.120.84.233

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Windows\SysWOW64\GroupPolicy\gpt.ini

              Download File
              Process:C:\Users\user\Desktop\ZtQY1K6aTi.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):11
              Entropy (8bit):3.2776134368191165
              Encrypted:false
              SSDEEP:3:1EX:10
              MD5:EC3584F3DB838942EC3669DB02DC908E
              SHA1:8DCEB96874D5C6425EBB81BFEE587244C89416DA
              SHA-256:77C7C10B4C860D5DDF4E057E713383E61E9F21BCF0EC4CFBBC16193F2E28F340
              SHA-512:35253883BB627A49918E7415A6BA6B765C86B516504D03A1F4FD05F80902F352A7A40E2A67A6D1B99A14B9B79DAB82F3AC7A67C512CCF6701256C13D0096855E
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview:[General]..

              C:\Windows\System32\GroupPolicy\GPT.INI

              Download File
              Process:C:\Users\user\Desktop\ZtQY1K6aTi.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):127
              Entropy (8bit):5.080093624462795
              Encrypted:false
              SSDEEP:3:1ELGUAgKLMzY+eWgTckbnnvjiBIFVTjSUgf4orFLsUov:1WsMzYHxbnvEcvgqv
              MD5:8EF9853D1881C5FE4D681BFB31282A01
              SHA1:A05609065520E4B4E553784C566430AD9736F19F
              SHA-256:9228F13D82C3DC96B957769F6081E5BAC53CFFCA4FFDE0BA1E102D9968F184A2
              SHA-512:5DDEE931A08CFEA5BB9D1C36355D47155A24D617C2A11D08364FFC54E593064011DEE4FEA8AC5B67029CAB515D3071F0BA0422BB76AF492A3115272BA8FEB005
              Malicious:true
              Reputation:moderate, very likely benign file
              Preview:[General]..gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}]..Version=1..

              C:\Windows\System32\GroupPolicy\Machine\Registry.pol

              Download File
              Process:C:\Users\user\Desktop\ZtQY1K6aTi.exe
              File Type:RAGE Package Format (RPF),
              Category:dropped
              Size (bytes):1926
              Entropy (8bit):3.310422749310586
              Encrypted:false
              SSDEEP:24:wSLevFeSLe5BeSwbv5qweSw4q7j/eScdepWDbVeScden2W8eScdemevtmeScdeRg:KFIBkbv5qwk4qfKV2QxVCZ
              MD5:CDFD60E717A44C2349B553E011958B85
              SHA1:431136102A6FB52A00E416964D4C27089155F73B
              SHA-256:0EE08DA4DA3E4133E1809099FC646468E7156644C9A772F704B80E338015211F
              SHA-512:DFEA0D0B3779059E64088EA9A13CD6B076D76C64DB99FA82E6612386CAE5CDA94A790318207470045EF51F0A410B400726BA28CB6ECB6972F081C532E558D6A8
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview:PReg....[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r...;.D.i.s.a.b.l.e.A.n.t.i.S.p.y.w.a.r.e...;.....;.....;.....].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r...;.D.i.s.a.b.l.e.R.o.u.t.i.n.e.l.y.T.a.k.i.n.g.A.c.t.i.o.n...;.....;.....;.....].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.E.x.c.l.u.s.i.o.n.s...;.E.x.c.l.u.s.i.o.n.s._.E.x.t.e.n.s.i.o.n.s...;.....;.....;.....].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.E.x.c.l.u.s.i.o.n.s.\.E.x.t.e.n.s.i.o.n.s...;.e.x.e...;.....;.....;.....].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.R.e.a.l.-.T.i.m.e. .P.r.o.t.e.c.t.i.o.n...;.D.i.s.a.b.l.e.B.e.h.a.v.i.o.r.M.o.n.i.t.o.r.i.n.g...;.....;.....;.....].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.R.e.a.l.-.T.i.m.e. .P.

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows
              Entropy (8bit):6.490534915401225
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.96%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:ZtQY1K6aTi.exe
              File size:1'672'704 bytes
              MD5:7f991bd7699126d6cca12241de7e7c44
              SHA1:63829ce5fcb6616b08d81fb456e92fcd1cac14c9
              SHA256:441bfb5e8bc07201c4c44de203b37c3ee9ab8d50dcfe025d7757fb7097c61156
              SHA512:fea0a97960ab293751f8afdac85fe1b39fcac247ad0e8baad2287e1a6cf177806644960070bdec91b5e9875d677f6596b9c592cf2471eda2bcef40311702e499
              SSDEEP:49152:TVTBGQcbvUDNbQ9jyA/gZd0x0Oj1o08pTdJG0K5:TVwQWvUDNbQ92AoZd0x0ORo
              TLSH:E0756B32A745A462E4A301B031AEFBB994A53D342751C4C7FBC06E6B77F56C22174E2B
              File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s...../.s

              File Icon

              Icon Hash:4c4d96ec0ce6c600

              Static PE Info

              General

              Entrypoint:0x433d5d
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
              Time Stamp:0x6625EF5E [Mon Apr 22 05:02:22 2024 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:6
              OS Version Minor:0
              File Version Major:6
              File Version Minor:0
              Subsystem Version Major:6
              Subsystem Version Minor:0
              Import Hash:e2abfd7ba257adf7a15b19d55fcf4379

              Entrypoint Preview

              Instruction
              call 00007F22BCE3D9A5h
              jmp 00007F22BCE3D17Fh
              cmp ecx, dword ptr [00582080h]
              jne 00007F22BCE3D303h
              ret
              jmp 00007F22BCE3DAC5h
              push ebp
              mov ebp, esp
              and dword ptr [00585560h], 00000000h
              sub esp, 24h
              or dword ptr [005820C4h], 01h
              push 0000000Ah
              call dword ptr [0055A0ECh]
              test eax, eax
              je 00007F22BCE3D4B2h
              and dword ptr [ebp-10h], 00000000h
              xor eax, eax
              push ebx
              push esi
              push edi
              xor ecx, ecx
              lea edi, dword ptr [ebp-24h]
              push ebx
              cpuid
              mov esi, ebx
              pop ebx
              nop
              mov dword ptr [edi], eax
              mov dword ptr [edi+04h], esi
              mov dword ptr [edi+08h], ecx
              xor ecx, ecx
              mov dword ptr [edi+0Ch], edx
              mov eax, dword ptr [ebp-24h]
              mov edi, dword ptr [ebp-20h]
              mov dword ptr [ebp-0Ch], eax
              xor edi, 756E6547h
              mov eax, dword ptr [ebp-18h]
              xor eax, 49656E69h
              mov dword ptr [ebp-04h], eax
              mov eax, dword ptr [ebp-1Ch]
              xor eax, 6C65746Eh
              mov dword ptr [ebp-08h], eax
              xor eax, eax
              inc eax
              push ebx
              cpuid
              mov esi, ebx
              pop ebx
              nop
              lea ebx, dword ptr [ebp-24h]
              mov dword ptr [ebx], eax
              mov eax, dword ptr [ebp-04h]
              or eax, dword ptr [ebp-08h]
              or eax, edi
              mov dword ptr [ebx+04h], esi
              mov dword ptr [ebx+08h], ecx
              mov dword ptr [ebx+0Ch], edx
              jne 00007F22BCE3D345h
              mov eax, dword ptr [ebp-24h]
              and eax, 0FFF3FF0h
              cmp eax, 000106C0h
              je 00007F22BCE3D325h
              cmp eax, 00020660h
              je 00007F22BCE3D31Eh
              cmp eax, 00020670h
              je 00007F22BCE3D317h
              cmp eax, 00030650h

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x1805280x118.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x1870000xafa0.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x1920000x9700.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x16e4c00x38.rdata
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x16e5000x18.rdata
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1628400x40.rdata
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x15a0000x3dc.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x1803c40x40.rdata
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x158af80x158c00096caf09bcd7657204f7281647f25f46False0.4725514412617839data6.524383214138694IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rdata0x15a0000x27b5a0x27c00f3caaa0faa68d0534b45b9387853ac8cFalse0.4351722189465409data5.301509174147987IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0x1820000x49300x3200016c6e583737ed5ccbe444835264d87cFalse0.153671875DOS executable (block device driver)3.9786896322347785IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .rsrc0x1870000xafa00xb0008b8b7c1ae6164c3ae21fb08cef101ac3False0.11325905539772728data2.153408950986256IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0x1920000x97000x9800fa628a228d550942b95c34c4f5e3caacFalse0.5831620065789473data6.531418125993091IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountryZLIB Complexity
              RT_ICON0x1875e80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024RussianRussia0.1320921985815603
              RT_ICON0x187a500x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 1600RussianRussia0.10465116279069768
              RT_ICON0x1881080x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304RussianRussia0.08770491803278689
              RT_ICON0x188a900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096RussianRussia0.05722326454033771
              RT_ICON0x189b380x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216RussianRussia0.03475103734439834
              RT_ICON0x18c0e00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384RussianRussia0.02509447331128956
              RT_ICON0x1903080x1aaePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedRussianRussia0.39780380673499266
              RT_GROUP_ICON0x191db80x68dataRussianRussia0.7596153846153846
              RT_VERSION0x1872500x398OpenPGP Public KeyRussianRussia0.42282608695652174
              RT_MANIFEST0x191e200x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

              Imports

              DLLImport
              KERNEL32.dllWaitForSingleObject, LocalAlloc, GetCurrentThreadId, GetModuleHandleA, GetLocaleInfoA, OpenProcess, CreateToolhelp32Snapshot, MultiByteToWideChar, Sleep, GetTempPathA, GetModuleHandleExA, GetTimeZoneInformation, GetTickCount64, CopyFileA, GetLastError, GetFileAttributesA, TzSpecificLocalTimeToSystemTime, CreateFileA, SetEvent, TerminateThread, LoadLibraryA, GetVersionExA, DeleteFileA, Process32Next, CloseHandle, GetSystemInfo, CreateThread, ResetEvent, GetWindowsDirectoryA, HeapAlloc, SetFileAttributesA, GetLocalTime, GetProcAddress, VirtualAllocEx, LocalFree, IsProcessorFeaturePresent, GetFileSize, RemoveDirectoryA, ReadProcessMemory, GetCurrentProcessId, GetProcessHeap, GlobalMemoryStatusEx, SetThreadExecutionState, FreeLibrary, WideCharToMultiByte, CreateRemoteThread, GetComputerNameExA, CreateDirectoryA, GetSystemTime, GetVolumeInformationA, CreateEventA, GetPrivateProfileStringA, IsWow64Process, IsDebuggerPresent, VirtualQueryEx, GetComputerNameA, SetUnhandledExceptionFilter, FindNextFileA, lstrcpynA, SetFilePointer, CreateFileW, AreFileApisANSI, EnterCriticalSection, GetFullPathNameW, GetDiskFreeSpaceW, LockFile, LeaveCriticalSection, InitializeCriticalSection, GetFullPathNameA, SetEndOfFile, GetTempPathW, GetFileAttributesW, FormatMessageW, GetDiskFreeSpaceA, DeleteFileW, UnlockFile, LockFileEx, DeleteCriticalSection, GetSystemTimeAsFileTime, FormatMessageA, QueryPerformanceCounter, GetTickCount, FlushFileBuffers, VirtualQuery, VirtualProtect, WriteConsoleW, HeapSize, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, GetACP, IsValidCodePage, CreateMutexA, FindClose, lstrlenA, InitializeCriticalSectionEx, GetProcessId, GetUserDefaultLocaleName, TerminateProcess, OutputDebugStringA, WriteFile, GetCurrentProcess, SetPriorityClass, SetLastError, ReadFile, HeapFree, FindFirstFileA, WriteProcessMemory, Process32First, GetPrivateProfileSectionNamesA, SetStdHandle, HeapReAlloc, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, GetTimeFormatW, GetDateFormatW, GetFileSizeEx, GetConsoleOutputCP, ReadConsoleW, GetConsoleMode, GetStdHandle, GetModuleFileNameW, GetModuleHandleExW, ExitProcess, GetFileType, GetModuleFileNameA, SetFilePointerEx, LoadLibraryExW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, RaiseException, RtlUnwind, InitializeSListHead, GetStartupInfoW, UnhandledExceptionFilter, SleepConditionVariableSRW, WakeAllConditionVariable, GetStringTypeW, GetLocaleInfoEx, FindFirstFileW, FindFirstFileExW, FindNextFileW, GetFileAttributesExW, GetModuleHandleW, GetFileInformationByHandleEx, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, LCMapStringEx, EncodePointer, DecodePointer, CompareStringEx, GetCPInfo, LoadLibraryExA
              USER32.dllwsprintfA, GetSystemMetrics, MessageBoxA, GetWindowRect, EnumDisplayDevicesA, GetDC, GetKeyboardLayoutList, CharNextA, GetCursorPos, GetDesktopWindow, ReleaseDC
              GDI32.dllCreateCompatibleBitmap, SelectObject, CreateCompatibleDC, DeleteObject, BitBlt
              ADVAPI32.dllRegQueryValueExA, LsaClose, LsaOpenPolicy, RegEnumKeyA, RegCloseKey, RegGetValueA, GetCurrentHwProfileA, LsaFreeMemory, CredEnumerateA, RegCreateKeyExA, GetUserNameA, RegSetValueExA, RegOpenKeyExA, LsaQueryInformationPolicy, RegEnumKeyExA
              SHELL32.dllShellExecuteA, SHGetFolderPathA
              ole32.dllCoInitialize, CoCreateInstance, CoInitializeEx, CoUninitialize
              WS2_32.dllWSAStartup, socket, connect, recv, freeaddrinfo, setsockopt, WSAGetLastError, shutdown, WSACleanup, closesocket, getaddrinfo
              CRYPT32.dllCryptUnprotectData
              SHLWAPI.dllPathFindExtensionA
              gdiplus.dllGdipGetImageEncoders, GdipCloneImage, GdipAlloc, GdiplusShutdown, GdiplusStartup, GdipSaveImageToFile, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipCreateBitmapFromHBITMAP
              SETUPAPI.dllSetupDiEnumDeviceInfo, SetupDiGetDeviceInterfaceDetailA, SetupDiGetClassDevsA, SetupDiEnumDeviceInterfaces
              ntdll.dllRtlUnicodeStringToAnsiString
              RstrtMgr.DLLRmStartSession, RmGetList, RmRegisterResources, RmShutdown, RmEndSession

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              RussianRussia
              EnglishUnited States

              Network Behavior

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              May 3, 2024 06:07:02.238034010 CEST4970550500192.168.2.587.120.84.5
              May 3, 2024 06:07:03.236388922 CEST4970550500192.168.2.587.120.84.5
              May 3, 2024 06:07:05.252034903 CEST4970550500192.168.2.587.120.84.5
              May 3, 2024 06:07:09.267770052 CEST4970550500192.168.2.587.120.84.5
              May 3, 2024 06:07:17.267771959 CEST4970550500192.168.2.587.120.84.5
              May 3, 2024 06:07:23.383326054 CEST4971350500192.168.2.587.120.84.5
              May 3, 2024 06:07:24.392678976 CEST4971350500192.168.2.587.120.84.5
              May 3, 2024 06:07:26.408281088 CEST4971350500192.168.2.587.120.84.5
              May 3, 2024 06:07:30.423904896 CEST4971350500192.168.2.587.120.84.5
              May 3, 2024 06:07:38.424065113 CEST4971350500192.168.2.587.120.84.5
              May 3, 2024 06:07:44.554830074 CEST4971450500192.168.2.587.120.84.5
              May 3, 2024 06:07:45.564652920 CEST4971450500192.168.2.587.120.84.5
              May 3, 2024 06:07:47.564555883 CEST4971450500192.168.2.587.120.84.5
              May 3, 2024 06:07:51.568836927 CEST4971450500192.168.2.587.120.84.5
              May 3, 2024 06:07:59.564552069 CEST4971450500192.168.2.587.120.84.5
              May 3, 2024 06:08:06.162511110 CEST4971650500192.168.2.587.120.84.5
              May 3, 2024 06:08:07.173937082 CEST4971650500192.168.2.587.120.84.5
              May 3, 2024 06:08:09.173957109 CEST4971650500192.168.2.587.120.84.5
              May 3, 2024 06:08:13.173984051 CEST4971650500192.168.2.587.120.84.5
              May 3, 2024 06:08:21.174048901 CEST4971650500192.168.2.587.120.84.5
              May 3, 2024 06:08:27.351349115 CEST4971850500192.168.2.587.120.84.5
              May 3, 2024 06:08:28.345860958 CEST4971850500192.168.2.587.120.84.5
              May 3, 2024 06:08:30.345849037 CEST4971850500192.168.2.587.120.84.5
              May 3, 2024 06:08:34.345841885 CEST4971850500192.168.2.587.120.84.5
              May 3, 2024 06:08:42.361495018 CEST4971850500192.168.2.587.120.84.5
              May 3, 2024 06:08:48.845076084 CEST4971950500192.168.2.587.120.84.5
              May 3, 2024 06:08:49.845846891 CEST4971950500192.168.2.587.120.84.5
              May 3, 2024 06:08:51.846060991 CEST4971950500192.168.2.587.120.84.5
              May 3, 2024 06:08:55.845854044 CEST4971950500192.168.2.587.120.84.5
              May 3, 2024 06:09:03.845877886 CEST4971950500192.168.2.587.120.84.5

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              System Behavior

              General

              Target ID:0
              Start time:06:06:53
              Start date:03/05/2024
              Path:C:\Users\user\Desktop\ZtQY1K6aTi.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\ZtQY1K6aTi.exe"
              Imagebase:0x1a0000
              File size:1'672'704 bytes
              MD5 hash:7F991BD7699126D6CCA12241DE7E7C44
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low
              Has exited:false

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:1.5%
                Dynamic/Decrypted Code Coverage:0%
                Signature Coverage:13.5%
                Total number of Nodes:769
                Total number of Limit Nodes:19
                execution_graph 89497 1f9588 89498 1f958f 89497->89498 89549 289280 89498->89549 89502 1f959c 89503 1f95ea LoadLibraryA 89502->89503 89504 1f95fb 89503->89504 89505 1f96d2 89503->89505 89507 1f96c6 GetProcAddress 89504->89507 89555 1a8a00 89505->89555 89507->89505 89510 1f971b 89566 2846e0 89510->89566 89512 1f9a21 GetProcessId 89514 1f9a7a 89512->89514 89513 1f97ca __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 89513->89512 89530 1f9ab0 89514->89530 89585 273630 GetPEB IsDebuggerPresent 89514->89585 89515 1f9733 89515->89513 89517 1f9927 MessageBoxA 89515->89517 89517->89513 89525 1f9938 89517->89525 89518 1f9a95 89519 1f9a9d GetPEB 89518->89519 89520 1f9b27 89518->89520 89519->89530 89586 273430 GetTickCount64 Sleep GetTickCount64 89520->89586 89523 1f9c34 89627 273340 GetModuleHandleA 89523->89627 89524 1f9b34 GetPEB 89524->89530 89632 1a2df0 89525->89632 89528 1f9c39 89628 272d20 49 API calls 2 library calls 89528->89628 89529 1fda19 89530->89523 89531 1f9d08 89530->89531 89537 1f9d70 89531->89537 89588 2709b0 CoInitializeEx 89531->89588 89533 1f9c41 89629 272a20 IsDebuggerPresent IsProcessorFeaturePresent GetVolumeInformationA 89533->89629 89536 1f9c66 GetPEB 89543 1f9c72 89536->89543 89540 1f9dd0 89537->89540 89544 1f9dd5 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 89537->89544 89538 1f9c49 89538->89536 89630 273470 GetUserNameA GetComputerNameA GetCurrentProcess TerminateProcess __fread_nolock 89538->89630 89631 26caa0 104 API calls 5 library calls 89540->89631 89541 1f9c5e 89541->89531 89541->89536 89543->89531 89545 1f9ea5 SetThreadExecutionState 89544->89545 89546 1f9ebd 89545->89546 89547 1f9eb6 SetThreadExecutionState 89545->89547 89548 1f9f08 GetPEB 89546->89548 89547->89546 89548->89525 89643 1e195b GetSystemTimeAsFileTime 89549->89643 89551 1f9596 89552 1d958c 89551->89552 89645 1e9e32 GetLastError 89552->89645 89684 1d59a0 89555->89684 89558 1a8a72 89558->89558 89686 1a3040 89558->89686 89560 1a8a8a 89561 1b63b0 89560->89561 89563 1b63d8 89561->89563 89562 1b63e7 89562->89510 89563->89562 89564 1a32d0 std::_Throw_Cpp_error 43 API calls 89563->89564 89565 1b642a __Strxfrm 89564->89565 89565->89510 89731 1bae80 89566->89731 89571 28483e 89573 1a2df0 std::_Throw_Cpp_error 43 API calls 89571->89573 89575 28484d 89573->89575 89575->89515 89578 1dd5e6 68 API calls 89579 2847ee 89578->89579 89581 284804 89579->89581 89751 1b8dc0 89579->89751 89760 1e208f 89581->89760 89585->89518 89587 1f9b2c 89586->89587 89587->89524 89587->89530 89589 270a31 CoCreateInstance 89588->89589 89590 270a21 89588->89590 89592 270a62 89589->89592 89590->89589 89591 2729ed 89590->89591 89591->89537 89593 2729d9 89592->89593 89595 270a81 RegCreateKeyExA 89592->89595 89593->89591 89594 2729e0 CoUninitialize 89593->89594 89594->89591 89596 270d03 GetPEB 89595->89596 89597 270ebd RegCreateKeyExA 89595->89597 89598 270e20 RegSetValueExA 89596->89598 89599 2712d0 RegOpenKeyExA 89597->89599 89600 271198 GetPEB 89597->89600 89598->89597 89602 271845 RegOpenKeyExA 89599->89602 89603 2714b5 GetPEB 89599->89603 89601 271231 RegSetValueExA 89600->89601 89601->89599 89604 271bbd RegCreateKeyExA GetPEB 89602->89604 89605 2719fd GetPEB 89602->89605 89606 2715f0 RegSetValueExA GetPEB 89603->89606 89607 271fc3 RegSetValueExA GetPEB 89604->89607 89608 271b20 89605->89608 89614 2717a5 RegSetValueExA 89606->89614 89613 272190 RegSetValueExA GetPEB 89607->89613 89608->89604 89617 272360 RegSetValueExA GetPEB 89613->89617 89614->89602 89619 272512 RegSetValueExA GetPEB 89617->89619 89621 2726c2 RegSetValueExA GetPEB 89619->89621 89623 272890 RegSetValueExA GetPEB 89621->89623 89625 272936 RegCloseKey 89623->89625 89625->89593 89627->89528 89628->89533 89629->89538 89630->89541 89631->89544 89633 1a2e13 89632->89633 89635 1a2e2e std::ios_base::_Ios_base_dtor 89632->89635 89633->89635 90155 1d8c60 41 API calls 2 library calls 89633->90155 89635->89529 89644 1e1994 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 89643->89644 89644->89551 89646 1e9e48 89645->89646 89647 1e9e4e 89645->89647 89674 1eb64e 6 API calls std::locale::_Setgloballocale 89646->89674 89651 1e9e52 89647->89651 89675 1eb68d 6 API calls std::locale::_Setgloballocale 89647->89675 89650 1e9e6a 89650->89651 89652 1e9e72 89650->89652 89653 1e9ed7 SetLastError 89651->89653 89676 1ea64c 14 API calls 3 library calls 89652->89676 89655 1e9ee7 89653->89655 89656 1d9596 89653->89656 89683 1e41b6 41 API calls 2 library calls 89655->89683 89656->89502 89657 1e9e7f 89659 1e9e98 89657->89659 89660 1e9e87 89657->89660 89678 1eb68d 6 API calls std::locale::_Setgloballocale 89659->89678 89677 1eb68d 6 API calls std::locale::_Setgloballocale 89660->89677 89662 1e9eec 89664 1e9e95 89680 1eb00c 14 API calls __dosmaperr 89664->89680 89665 1e9ea4 89666 1e9ebf 89665->89666 89667 1e9ea8 89665->89667 89681 1e9c60 14 API calls __dosmaperr 89666->89681 89679 1eb68d 6 API calls std::locale::_Setgloballocale 89667->89679 89671 1e9ebc 89671->89653 89672 1e9eca 89682 1eb00c 14 API calls __dosmaperr 89672->89682 89674->89647 89675->89650 89676->89657 89677->89664 89678->89665 89679->89664 89680->89671 89681->89672 89682->89671 89683->89662 89685 1a8a3e GetModuleFileNameA 89684->89685 89685->89558 89687 1a30c8 89686->89687 89689 1a3052 89686->89689 89688 1a3057 __Strxfrm 89688->89560 89689->89688 89692 1a32d0 89689->89692 89691 1a30a3 __Strxfrm 89691->89560 89693 1a32e2 89692->89693 89694 1a3306 89692->89694 89695 1a32e9 89693->89695 89696 1a331f 89693->89696 89697 1a3318 89694->89697 89699 1d3662 std::_Facet_Register 43 API calls 89694->89699 89706 1d3662 89695->89706 89717 1a2b50 43 API calls 3 library calls 89696->89717 89697->89691 89702 1a3310 89699->89702 89701 1a32ef 89704 1a32f8 89701->89704 89718 1d8c60 41 API calls 2 library calls 89701->89718 89702->89691 89704->89691 89707 1d3667 89706->89707 89709 1d3681 89707->89709 89712 1a2b50 Concurrency::cancel_current_task 89707->89712 89719 1e23dc 89707->89719 89728 1e5a79 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 89707->89728 89709->89701 89711 1d368d 89711->89711 89712->89711 89726 1d51eb RaiseException 89712->89726 89714 1a2b6c 89727 1d4b05 42 API calls 2 library calls 89714->89727 89716 1a2bac 89716->89701 89717->89701 89724 1eb086 _strftime 89719->89724 89720 1eb0c4 89730 1e16ef 14 API calls __dosmaperr 89720->89730 89722 1eb0af RtlAllocateHeap 89723 1eb0c2 89722->89723 89722->89724 89723->89707 89724->89720 89724->89722 89729 1e5a79 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 89724->89729 89726->89714 89727->89716 89728->89707 89729->89724 89730->89723 89732 1d3662 std::_Facet_Register 43 API calls 89731->89732 89733 1baeb5 89732->89733 89734 1a3040 std::_Throw_Cpp_error 43 API calls 89733->89734 89735 1baf08 89734->89735 89736 1d9810 89735->89736 89769 1d974e 89736->89769 89739 1dd5e6 89740 1dd5f9 __fread_nolock 89739->89740 89824 1dd33d 89740->89824 89745 1d939b 89746 1d93ae __fread_nolock 89745->89746 89903 1d8cb1 89746->89903 89749 1d898c __fread_nolock 41 API calls 89750 1d93c6 89749->89750 89750->89578 89753 1b8e11 89751->89753 89754 1b8de2 __fread_nolock 89751->89754 89752 1b8ef8 89753->89752 89755 1a32d0 std::_Throw_Cpp_error 43 API calls 89753->89755 89754->89581 89756 1b8e66 __fread_nolock __Strxfrm 89755->89756 89757 1b8ecb __fread_nolock __Strxfrm 89756->89757 89954 1a2fe0 41 API calls 2 library calls 89756->89954 89757->89581 89759 1b8eb8 89759->89581 89955 1e20ac 89760->89955 89763 1dd098 89764 1dd0ab __fread_nolock 89763->89764 90088 1dcf73 89764->90088 89766 1dd0b7 89767 1d898c __fread_nolock 41 API calls 89766->89767 89768 1dd0c3 89767->89768 89768->89571 89770 1d975a __FrameHandler3::FrameUnwindToState 89769->89770 89771 1d9761 89770->89771 89773 1d9781 89770->89773 89794 1e16ef 14 API calls __dosmaperr 89771->89794 89775 1d9786 89773->89775 89776 1d9793 89773->89776 89774 1d9766 89795 1d8c50 41 API calls __fread_nolock 89774->89795 89796 1e16ef 14 API calls __dosmaperr 89775->89796 89786 1ea8e1 89776->89786 89780 1d9771 89780->89571 89780->89739 89782 1d97b0 89798 1d97ee LeaveCriticalSection __fread_nolock 89782->89798 89783 1d97a3 89797 1e16ef 14 API calls __dosmaperr 89783->89797 89787 1ea8ed __FrameHandler3::FrameUnwindToState 89786->89787 89799 1e423b EnterCriticalSection 89787->89799 89789 1ea8fb 89800 1ea985 89789->89800 89794->89774 89795->89780 89796->89780 89797->89780 89798->89780 89799->89789 89807 1ea9a8 89800->89807 89801 1ea908 89814 1ea941 89801->89814 89802 1eaa00 89819 1ea64c 14 API calls 3 library calls 89802->89819 89804 1eaa09 89820 1eb00c 14 API calls __dosmaperr 89804->89820 89807->89801 89807->89802 89817 1e1240 EnterCriticalSection 89807->89817 89818 1e1254 LeaveCriticalSection 89807->89818 89808 1eaa12 89808->89801 89821 1eb7e6 6 API calls std::locale::_Setgloballocale 89808->89821 89810 1eaa31 89822 1e1240 EnterCriticalSection 89810->89822 89813 1eaa44 89813->89801 89823 1e4283 LeaveCriticalSection 89814->89823 89816 1d979c 89816->89782 89816->89783 89817->89807 89818->89807 89819->89804 89820->89808 89821->89810 89822->89813 89823->89816 89825 1dd349 __FrameHandler3::FrameUnwindToState 89824->89825 89826 1dd34f 89825->89826 89828 1dd392 89825->89828 89851 1d8bd3 41 API calls 2 library calls 89826->89851 89841 1e1240 EnterCriticalSection 89828->89841 89829 1dd36a 89835 1d898c 89829->89835 89831 1dd39e 89842 1dd4c0 89831->89842 89833 1dd3b4 89852 1dd3dd LeaveCriticalSection __fread_nolock 89833->89852 89836 1d8998 89835->89836 89837 1d89af 89836->89837 89901 1d8a37 41 API calls 2 library calls 89836->89901 89839 1d89c2 89837->89839 89902 1d8a37 41 API calls 2 library calls 89837->89902 89839->89745 89841->89831 89843 1dd4e6 89842->89843 89844 1dd4d3 89842->89844 89853 1dd3e7 89843->89853 89844->89833 89846 1dd509 89850 1dd597 89846->89850 89857 1d9a81 89846->89857 89850->89833 89851->89829 89852->89829 89854 1dd3f8 89853->89854 89855 1dd450 89853->89855 89854->89855 89866 1e25ed 43 API calls __fread_nolock 89854->89866 89855->89846 89858 1d9a9a 89857->89858 89862 1d9ac1 89857->89862 89858->89862 89867 1ea1db 89858->89867 89860 1d9ab6 89874 1e9668 66 API calls 3 library calls 89860->89874 89863 1e262d 89862->89863 89877 1e250c 89863->89877 89865 1e2646 89865->89850 89866->89855 89868 1ea1fc 89867->89868 89869 1ea1e7 89867->89869 89868->89860 89875 1e16ef 14 API calls __dosmaperr 89869->89875 89871 1ea1ec 89876 1d8c50 41 API calls __fread_nolock 89871->89876 89873 1ea1f7 89873->89860 89874->89862 89875->89871 89876->89873 89883 1ee92e 89877->89883 89879 1e251e 89880 1e253a SetFilePointerEx 89879->89880 89882 1e2526 __fread_nolock 89879->89882 89881 1e2552 GetLastError 89880->89881 89880->89882 89881->89882 89882->89865 89884 1ee93b 89883->89884 89886 1ee950 89883->89886 89896 1e16dc 14 API calls __dosmaperr 89884->89896 89890 1ee975 89886->89890 89898 1e16dc 14 API calls __dosmaperr 89886->89898 89887 1ee940 89897 1e16ef 14 API calls __dosmaperr 89887->89897 89890->89879 89891 1ee980 89899 1e16ef 14 API calls __dosmaperr 89891->89899 89892 1ee948 89892->89879 89894 1ee988 89900 1d8c50 41 API calls __fread_nolock 89894->89900 89896->89887 89897->89892 89898->89891 89899->89894 89900->89892 89901->89837 89902->89839 89904 1d8cbd __FrameHandler3::FrameUnwindToState 89903->89904 89905 1d8ce5 89904->89905 89906 1d8cc4 89904->89906 89914 1e1240 EnterCriticalSection 89905->89914 89918 1d8bd3 41 API calls 2 library calls 89906->89918 89909 1d8cdd 89909->89749 89910 1d8cf0 89915 1d8dc0 89910->89915 89914->89910 89920 1d8df2 89915->89920 89917 1d8cff 89919 1d8d27 LeaveCriticalSection __fread_nolock 89917->89919 89918->89909 89919->89909 89921 1d8e29 89920->89921 89922 1d8e01 89920->89922 89924 1ea1db __fread_nolock 41 API calls 89921->89924 89937 1d8bd3 41 API calls 2 library calls 89922->89937 89926 1d8e32 89924->89926 89925 1d8e1c __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 89925->89917 89934 1e25cf 89926->89934 89929 1d8edc 89938 1d915e 46 API calls 4 library calls 89929->89938 89930 1d8ef3 89930->89925 89939 1d8f93 45 API calls 2 library calls 89930->89939 89932 1d8eeb 89932->89925 89940 1e23e7 89934->89940 89937->89925 89938->89932 89939->89925 89941 1e23f3 __FrameHandler3::FrameUnwindToState 89940->89941 89942 1d8e50 89941->89942 89943 1e2436 89941->89943 89945 1e247c 89941->89945 89942->89925 89942->89929 89942->89930 89952 1d8bd3 41 API calls 2 library calls 89943->89952 89951 1ee6b2 EnterCriticalSection 89945->89951 89947 1e2482 89948 1e24a3 89947->89948 89949 1e250c __fread_nolock 43 API calls 89947->89949 89953 1e2504 LeaveCriticalSection __wsopen_s 89948->89953 89949->89948 89951->89947 89952->89942 89953->89942 89954->89759 89956 1e20b8 __FrameHandler3::FrameUnwindToState 89955->89956 89957 1e20a7 89956->89957 89958 1e20cb __fread_nolock 89956->89958 89959 1e2102 89956->89959 89957->89763 89982 1e16ef 14 API calls __dosmaperr 89958->89982 89968 1e1240 EnterCriticalSection 89959->89968 89962 1e210c 89969 1e1eb6 89962->89969 89963 1e20e5 89983 1d8c50 41 API calls __fread_nolock 89963->89983 89968->89962 89970 1e1ee5 89969->89970 89974 1e1ec8 __fread_nolock 89969->89974 89984 1e2141 LeaveCriticalSection __fread_nolock 89970->89984 89971 1e1ed5 90050 1e16ef 14 API calls __dosmaperr 89971->90050 89973 1e1eda 90051 1d8c50 41 API calls __fread_nolock 89973->90051 89974->89970 89974->89971 89978 1e1f26 __fread_nolock 89974->89978 89976 1e2051 __fread_nolock 90053 1e16ef 14 API calls __dosmaperr 89976->90053 89978->89970 89978->89976 89979 1ea1db __fread_nolock 41 API calls 89978->89979 89985 1e8900 89978->89985 90052 1dcedb 41 API calls 3 library calls 89978->90052 89979->89978 89982->89963 89983->89957 89984->89957 89986 1e892a 89985->89986 89987 1e8912 89985->89987 89989 1e8c6c 89986->89989 89994 1e896d 89986->89994 90063 1e16dc 14 API calls __dosmaperr 89987->90063 90082 1e16dc 14 API calls __dosmaperr 89989->90082 89990 1e8917 90064 1e16ef 14 API calls __dosmaperr 89990->90064 89993 1e8c71 90083 1e16ef 14 API calls __dosmaperr 89993->90083 89996 1e8978 89994->89996 89997 1e891f 89994->89997 90001 1e89a8 89994->90001 90065 1e16dc 14 API calls __dosmaperr 89996->90065 89997->89978 89998 1e8985 90084 1d8c50 41 API calls __fread_nolock 89998->90084 90000 1e897d 90066 1e16ef 14 API calls __dosmaperr 90000->90066 90004 1e89c1 90001->90004 90005 1e89ce 90001->90005 90006 1e89fc 90001->90006 90004->90005 90010 1e89ea 90004->90010 90067 1e16dc 14 API calls __dosmaperr 90005->90067 90070 1eb086 15 API calls 3 library calls 90006->90070 90009 1e89d3 90068 1e16ef 14 API calls __dosmaperr 90009->90068 90054 1f3bd1 90010->90054 90011 1e8a0d 90071 1eb00c 14 API calls __dosmaperr 90011->90071 90015 1e89da 90069 1d8c50 41 API calls __fread_nolock 90015->90069 90016 1e8b48 90019 1e8bbc 90016->90019 90022 1e8b61 GetConsoleMode 90016->90022 90017 1e8a16 90072 1eb00c 14 API calls __dosmaperr 90017->90072 90021 1e8bc0 ReadFile 90019->90021 90024 1e8bd8 90021->90024 90025 1e8c34 GetLastError 90021->90025 90022->90019 90026 1e8b72 90022->90026 90023 1e8a1d 90027 1e8a27 90023->90027 90028 1e8a42 90023->90028 90024->90025 90031 1e8bb1 90024->90031 90029 1e8b98 90025->90029 90030 1e8c41 90025->90030 90026->90021 90032 1e8b78 ReadConsoleW 90026->90032 90073 1e16ef 14 API calls __dosmaperr 90027->90073 90075 1e25ed 43 API calls __fread_nolock 90028->90075 90047 1e89e5 __fread_nolock 90029->90047 90076 1e1695 14 API calls __dosmaperr 90029->90076 90080 1e16ef 14 API calls __dosmaperr 90030->90080 90043 1e8bfd 90031->90043 90044 1e8c14 90031->90044 90031->90047 90032->90031 90033 1e8b92 GetLastError 90032->90033 90033->90029 90039 1e8a2c 90074 1e16dc 14 API calls __dosmaperr 90039->90074 90040 1e8c46 90081 1e16dc 14 API calls __dosmaperr 90040->90081 90078 1e8612 46 API calls 3 library calls 90043->90078 90046 1e8c2d 90044->90046 90044->90047 90079 1e8458 44 API calls __fread_nolock 90046->90079 90077 1eb00c 14 API calls __dosmaperr 90047->90077 90049 1e8c32 90049->90047 90050->89973 90051->89970 90052->89978 90053->89973 90055 1f3bde 90054->90055 90056 1f3beb 90054->90056 90085 1e16ef 14 API calls __dosmaperr 90055->90085 90059 1f3bf7 90056->90059 90086 1e16ef 14 API calls __dosmaperr 90056->90086 90059->90016 90060 1f3c18 90087 1d8c50 41 API calls __fread_nolock 90060->90087 90061 1f3be3 90061->90016 90063->89990 90064->89997 90065->90000 90066->89998 90067->90009 90068->90015 90069->90047 90070->90011 90071->90017 90072->90023 90073->90039 90074->90047 90075->90010 90076->90047 90077->89997 90078->90047 90079->90049 90080->90040 90081->90047 90082->89993 90083->89998 90084->89997 90085->90061 90086->90060 90087->90061 90089 1dcf7f __FrameHandler3::FrameUnwindToState 90088->90089 90090 1dcfac 90089->90090 90091 1dcf89 90089->90091 90098 1dcfa4 90090->90098 90099 1e1240 EnterCriticalSection 90090->90099 90114 1d8bd3 41 API calls 2 library calls 90091->90114 90094 1dcfca 90100 1dd00a 90094->90100 90096 1dcfd7 90115 1dd002 LeaveCriticalSection __fread_nolock 90096->90115 90098->89766 90099->90094 90101 1dd03a 90100->90101 90102 1dd017 90100->90102 90104 1d9a81 ___scrt_uninitialize_crt 66 API calls 90101->90104 90112 1dd032 90101->90112 90127 1d8bd3 41 API calls 2 library calls 90102->90127 90105 1dd052 90104->90105 90116 1eb046 90105->90116 90108 1ea1db __fread_nolock 41 API calls 90109 1dd066 90108->90109 90120 1e8d1c 90109->90120 90112->90096 90114->90098 90115->90098 90117 1eb05d 90116->90117 90119 1dd05a 90116->90119 90117->90119 90129 1eb00c 14 API calls __dosmaperr 90117->90129 90119->90108 90121 1dd06d 90120->90121 90122 1e8d45 90120->90122 90121->90112 90128 1eb00c 14 API calls __dosmaperr 90121->90128 90123 1e8d94 90122->90123 90125 1e8d6c 90122->90125 90138 1d8bd3 41 API calls 2 library calls 90123->90138 90130 1e8c8b 90125->90130 90127->90112 90128->90112 90129->90119 90131 1e8c97 __FrameHandler3::FrameUnwindToState 90130->90131 90139 1ee6b2 EnterCriticalSection 90131->90139 90133 1e8ca5 90134 1e8cd6 90133->90134 90140 1e8def 90133->90140 90153 1e8d10 LeaveCriticalSection __wsopen_s 90134->90153 90137 1e8cf9 90137->90121 90138->90121 90139->90133 90141 1ee92e __fread_nolock 41 API calls 90140->90141 90144 1e8dff 90141->90144 90142 1e8e05 90154 1ee89d 15 API calls 2 library calls 90142->90154 90144->90142 90146 1ee92e __fread_nolock 41 API calls 90144->90146 90152 1e8e37 90144->90152 90145 1ee92e __fread_nolock 41 API calls 90147 1e8e43 FindCloseChangeNotification 90145->90147 90148 1e8e2e 90146->90148 90147->90142 90149 1e8e4f GetLastError 90147->90149 90150 1ee92e __fread_nolock 41 API calls 90148->90150 90149->90142 90150->90152 90151 1e8e5d __fread_nolock 90151->90134 90152->90142 90152->90145 90153->90137 90154->90151 90156 1ec985 90157 1ec992 90156->90157 90160 1ec9aa 90156->90160 90206 1e16ef 14 API calls __dosmaperr 90157->90206 90159 1ec997 90207 1d8c50 41 API calls __fread_nolock 90159->90207 90162 1eca09 90160->90162 90170 1ec9a2 90160->90170 90208 1ed673 14 API calls 2 library calls 90160->90208 90164 1ea1db __fread_nolock 41 API calls 90162->90164 90165 1eca22 90164->90165 90176 1e87e7 90165->90176 90168 1ea1db __fread_nolock 41 API calls 90169 1eca5b 90168->90169 90169->90170 90171 1ea1db __fread_nolock 41 API calls 90169->90171 90172 1eca69 90171->90172 90172->90170 90173 1ea1db __fread_nolock 41 API calls 90172->90173 90174 1eca77 90173->90174 90175 1ea1db __fread_nolock 41 API calls 90174->90175 90175->90170 90177 1e87f3 __FrameHandler3::FrameUnwindToState 90176->90177 90178 1e87fb 90177->90178 90182 1e8816 90177->90182 90210 1e16dc 14 API calls __dosmaperr 90178->90210 90180 1e8800 90211 1e16ef 14 API calls __dosmaperr 90180->90211 90181 1e882d 90212 1e16dc 14 API calls __dosmaperr 90181->90212 90182->90181 90185 1e8868 90182->90185 90187 1e8886 90185->90187 90188 1e8871 90185->90188 90186 1e8832 90213 1e16ef 14 API calls __dosmaperr 90186->90213 90209 1ee6b2 EnterCriticalSection 90187->90209 90215 1e16dc 14 API calls __dosmaperr 90188->90215 90192 1e888c 90195 1e88ab 90192->90195 90196 1e88c0 90192->90196 90193 1e883a 90214 1d8c50 41 API calls __fread_nolock 90193->90214 90194 1e8876 90216 1e16ef 14 API calls __dosmaperr 90194->90216 90217 1e16ef 14 API calls __dosmaperr 90195->90217 90200 1e8900 __fread_nolock 53 API calls 90196->90200 90202 1e88bb 90200->90202 90201 1e88b0 90218 1e16dc 14 API calls __dosmaperr 90201->90218 90219 1e88f8 LeaveCriticalSection __wsopen_s 90202->90219 90205 1e8808 90205->90168 90205->90170 90206->90159 90207->90170 90208->90162 90209->90192 90210->90180 90211->90205 90212->90186 90213->90193 90214->90205 90215->90194 90216->90193 90217->90201 90218->90202 90219->90205 90220 1fa082 90221 1fa0d5 90220->90221 90318 1a2cf0 90221->90318 90224 1b63b0 std::_Throw_Cpp_error 43 API calls 90225 1fa0f3 90224->90225 90322 283880 90225->90322 90227 1fa14d 90229 1fa15c CreateThread FindCloseChangeNotification 90227->90229 90228 1fa106 90228->90227 90351 1b6290 43 API calls 90228->90351 90231 1fa23d 90229->90231 90238 1fa185 90229->90238 90361 264eb0 90229->90361 90234 1a2cf0 std::_Throw_Cpp_error 43 API calls 90231->90234 90232 1fa190 GetPEB 90232->90238 90233 1fa135 90352 1b6290 43 API calls 90233->90352 90236 1fa294 GetTempPathA 90234->90236 90353 283750 43 API calls 90236->90353 90238->90232 90238->90238 90241 1fa213 Sleep 90238->90241 90240 1fa2d0 90242 1a2cf0 std::_Throw_Cpp_error 43 API calls 90240->90242 90241->90231 90241->90232 90243 1fa32b 90242->90243 90354 1bace0 43 API calls 90243->90354 90319 1a2d13 90318->90319 90319->90319 90320 1a3040 std::_Throw_Cpp_error 43 API calls 90319->90320 90321 1a2d25 90320->90321 90321->90224 90323 283912 std::ios_base::_Ios_base_dtor 90322->90323 90324 283a3f 90323->90324 90327 283b17 90323->90327 90329 1a3040 std::_Throw_Cpp_error 43 API calls 90323->90329 90349 283b12 90323->90349 90355 1c42a0 43 API calls 90323->90355 90325 283a48 90324->90325 90326 283ac3 90324->90326 90356 1b5f60 43 API calls std::_Throw_Cpp_error 90325->90356 90333 283add 90326->90333 90334 283ad2 90326->90334 90345 283aaa 90326->90345 90360 1b9e60 43 API calls 90327->90360 90329->90323 90331 1a2df0 std::_Throw_Cpp_error 43 API calls 90336 283af1 90331->90336 90358 1c4400 43 API calls std::_Throw_Cpp_error 90333->90358 90339 1b63b0 std::_Throw_Cpp_error 43 API calls 90334->90339 90335 283a59 90337 283aac 90335->90337 90338 283a65 90335->90338 90343 1a2df0 std::_Throw_Cpp_error 43 API calls 90336->90343 90357 1c42a0 43 API calls 90337->90357 90341 1a2df0 std::_Throw_Cpp_error 43 API calls 90338->90341 90339->90345 90341->90345 90346 283afd 90343->90346 90345->90331 90346->90228 90347 283ab5 90348 1a2df0 std::_Throw_Cpp_error 43 API calls 90347->90348 90348->90345 90359 1d8c60 41 API calls 2 library calls 90349->90359 90351->90233 90352->90227 90353->90240 90355->90323 90356->90335 90357->90347 90358->90345 90362 26527c 90361->90362 90365 264eee 90361->90365 90363 264f37 setsockopt recv WSAGetLastError 90363->90362 90381 264f86 std::ios_base::_Ios_base_dtor __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 90363->90381 90365->90363 90366 265267 Sleep 90365->90366 90382 265940 WSAStartup 90365->90382 90366->90362 90366->90365 90367 2651c5 recv 90370 26525f Sleep 90367->90370 90369 1b8dc0 43 API calls 90371 264fdd recv 90369->90371 90370->90366 90372 264ffe recv 90371->90372 90371->90381 90372->90381 90373 265291 90398 1d8c60 41 API calls 2 library calls 90373->90398 90374 1b63b0 std::_Throw_Cpp_error 43 API calls 90374->90381 90376 265086 setsockopt recv 90376->90381 90377 1b8dc0 43 API calls 90377->90376 90381->90367 90381->90369 90381->90370 90381->90373 90381->90374 90381->90376 90381->90377 90395 2652a0 97 API calls std::_Throw_Cpp_error 90381->90395 90396 1d3059 GetSystemTimePreciseAsFileTime GetSystemTimeAsFileTime __Xtime_get_ticks 90381->90396 90397 1a9280 45 API calls 3 library calls 90381->90397 90383 265a46 90382->90383 90384 265978 90382->90384 90383->90365 90384->90383 90385 2659ae getaddrinfo 90384->90385 90386 265a40 WSACleanup 90385->90386 90388 2659f6 90385->90388 90386->90383 90387 265a54 freeaddrinfo 90387->90386 90389 265a60 90387->90389 90388->90387 90390 265a04 socket 90388->90390 90389->90365 90390->90386 90391 265a1a connect 90390->90391 90392 265a50 90391->90392 90393 265a2c closesocket 90391->90393 90392->90387 90393->90390 90394 265a36 freeaddrinfo 90393->90394 90394->90386 90395->90381 90396->90381 90397->90381 90399 1d3c23 90405 1d3c37 ___scrt_release_startup_lock std::locale::_Setgloballocale 90399->90405 90400 1d3c3d 90421 1e370e 21 API calls std::locale::_Setgloballocale 90400->90421 90402 1d3d54 90422 1e36d2 21 API calls std::locale::_Setgloballocale 90402->90422 90404 1d3d5c 90405->90400 90411 1d4289 90405->90411 90409 1d3ccc 90420 1d4174 4 API calls 2 library calls 90409->90420 90412 1d59a0 __fread_nolock 90411->90412 90413 1d429c GetStartupInfoW 90412->90413 90414 1d3cc4 90413->90414 90415 1e6964 90414->90415 90423 1f0663 90415->90423 90417 1e696d 90419 1e69a7 90417->90419 90429 1f0913 41 API calls 90417->90429 90419->90409 90420->90400 90421->90402 90422->90404 90424 1f066c 90423->90424 90425 1f069e 90423->90425 90430 1e9eed 41 API calls 3 library calls 90424->90430 90425->90417 90427 1f068f 90431 1f046e 51 API calls 3 library calls 90427->90431 90429->90417 90430->90427 90431->90425 90432 1fda50 GetCursorPos 90433 1fda65 GetCursorPos 90432->90433 90434 1fdb38 GetPEB 90433->90434 90437 1fda77 90433->90437 90434->90437 90435 1fda83 GetPEB 90435->90437 90436 1fdbad Sleep 90436->90433 90437->90434 90437->90435 90437->90436 90437->90437 90438 1fdaf8 Sleep GetCursorPos 90437->90438 90439 1fdbd7 90437->90439 90438->90434 90438->90437 90440 1eac71 90445 1eaa47 90440->90445 90444 1eacb0 90446 1eaa66 90445->90446 90447 1eaa79 90446->90447 90452 1eaa8e 90446->90452 90465 1e16ef 14 API calls __dosmaperr 90447->90465 90449 1eaa7e 90466 1d8c50 41 API calls __fread_nolock 90449->90466 90451 1eabae 90453 1eaa89 90451->90453 90470 1e16ef 14 API calls __dosmaperr 90451->90470 90452->90451 90467 1e0f9e 41 API calls 2 library calls 90452->90467 90453->90444 90462 1e2ca3 90453->90462 90455 1eac5f 90471 1d8c50 41 API calls __fread_nolock 90455->90471 90458 1eabfe 90458->90451 90468 1e0f9e 41 API calls 2 library calls 90458->90468 90460 1eac1c 90460->90451 90469 1e0f9e 41 API calls 2 library calls 90460->90469 90472 1e264b 90462->90472 90465->90449 90466->90453 90467->90458 90468->90460 90469->90451 90470->90455 90471->90453 90474 1e2657 __FrameHandler3::FrameUnwindToState 90472->90474 90473 1e265e 90492 1e16ef 14 API calls __dosmaperr 90473->90492 90474->90473 90477 1e2689 90474->90477 90476 1e2663 90493 1d8c50 41 API calls __fread_nolock 90476->90493 90483 1e2c35 90477->90483 90482 1e266d 90482->90444 90495 1dd197 90483->90495 90489 1e2c6b 90490 1e26ad 90489->90490 90550 1eb00c 14 API calls __dosmaperr 90489->90550 90494 1e26e0 LeaveCriticalSection __wsopen_s 90490->90494 90492->90476 90493->90482 90494->90482 90551 1d959e 90495->90551 90498 1dd1bb 90500 1dd17a 90498->90500 90562 1dd0c8 90500->90562 90503 1e2cc3 90587 1e2a11 90503->90587 90506 1e2d0e 90605 1ee78a 90506->90605 90507 1e2cf5 90619 1e16dc 14 API calls __dosmaperr 90507->90619 90511 1e2cfa 90620 1e16ef 14 API calls __dosmaperr 90511->90620 90512 1e2d1c 90621 1e16dc 14 API calls __dosmaperr 90512->90621 90513 1e2d33 90618 1e297c CreateFileW 90513->90618 90517 1e2d07 90517->90489 90518 1e2d21 90622 1e16ef 14 API calls __dosmaperr 90518->90622 90520 1e2de9 GetFileType 90521 1e2e3b 90520->90521 90522 1e2df4 GetLastError 90520->90522 90627 1ee6d5 15 API calls 2 library calls 90521->90627 90625 1e1695 14 API calls __dosmaperr 90522->90625 90523 1e2dbe GetLastError 90624 1e1695 14 API calls __dosmaperr 90523->90624 90526 1e2d6c 90526->90520 90526->90523 90623 1e297c CreateFileW 90526->90623 90527 1e2e02 CloseHandle 90527->90511 90531 1e2e2b 90527->90531 90530 1e2db1 90530->90520 90530->90523 90626 1e16ef 14 API calls __dosmaperr 90531->90626 90532 1e2e5c 90534 1e2ea8 90532->90534 90628 1e2b8b 75 API calls 3 library calls 90532->90628 90539 1e2eaf 90534->90539 90630 1e2726 75 API calls 4 library calls 90534->90630 90535 1e2e30 90535->90511 90538 1e2edd 90538->90539 90540 1e2eeb 90538->90540 90629 1e8dbf 44 API calls 2 library calls 90539->90629 90540->90517 90542 1e2f67 CloseHandle 90540->90542 90631 1e297c CreateFileW 90542->90631 90544 1e2f92 90545 1e2f9c GetLastError 90544->90545 90549 1e2fc8 90544->90549 90632 1e1695 14 API calls __dosmaperr 90545->90632 90547 1e2fa8 90633 1ee89d 15 API calls 2 library calls 90547->90633 90549->90517 90550->90490 90552 1d95bc 90551->90552 90553 1d95b5 90551->90553 90552->90553 90554 1e9e32 __Getctype 41 API calls 90552->90554 90553->90498 90559 1eb500 5 API calls std::_Locinfo::_Locinfo_ctor 90553->90559 90555 1d95dd 90554->90555 90560 1ea11f 41 API calls __Getctype 90555->90560 90557 1d95f3 90561 1ea17d 41 API calls _strftime 90557->90561 90559->90498 90560->90557 90561->90553 90563 1dd0d6 90562->90563 90564 1dd0f0 90562->90564 90580 1dd1d6 14 API calls ___free_lconv_mon 90563->90580 90565 1dd0f7 90564->90565 90566 1dd116 90564->90566 90569 1dd0e0 90565->90569 90581 1dd1f0 15 API calls _strftime 90565->90581 90582 1eb16c MultiByteToWideChar _strftime 90566->90582 90569->90489 90569->90503 90571 1dd125 90572 1dd12c GetLastError 90571->90572 90573 1dd152 90571->90573 90585 1dd1f0 15 API calls _strftime 90571->90585 90583 1e1695 14 API calls __dosmaperr 90572->90583 90573->90569 90586 1eb16c MultiByteToWideChar _strftime 90573->90586 90577 1dd138 90584 1e16ef 14 API calls __dosmaperr 90577->90584 90578 1dd169 90578->90569 90578->90572 90580->90569 90581->90569 90582->90571 90583->90577 90584->90569 90585->90573 90586->90578 90588 1e2a32 90587->90588 90593 1e2a4c 90587->90593 90588->90593 90641 1e16ef 14 API calls __dosmaperr 90588->90641 90591 1e2a41 90642 1d8c50 41 API calls __fread_nolock 90591->90642 90634 1e29a1 90593->90634 90594 1e2ab3 90604 1e2b06 90594->90604 90645 1e6a10 41 API calls 2 library calls 90594->90645 90595 1e2a84 90595->90594 90643 1e16ef 14 API calls __dosmaperr 90595->90643 90598 1e2aa8 90644 1d8c50 41 API calls __fread_nolock 90598->90644 90599 1e2b01 90600 1e2b7e 90599->90600 90599->90604 90646 1d8c7d 11 API calls std::locale::_Setgloballocale 90600->90646 90603 1e2b8a 90604->90506 90604->90507 90606 1ee796 __FrameHandler3::FrameUnwindToState 90605->90606 90649 1e423b EnterCriticalSection 90606->90649 90608 1ee79d 90610 1ee7c2 90608->90610 90614 1ee831 EnterCriticalSection 90608->90614 90616 1ee7e4 90608->90616 90653 1ee564 15 API calls 3 library calls 90610->90653 90613 1ee7c7 90613->90616 90654 1ee6b2 EnterCriticalSection 90613->90654 90615 1ee83e LeaveCriticalSection 90614->90615 90614->90616 90615->90608 90650 1ee894 90616->90650 90618->90526 90619->90511 90620->90517 90621->90518 90622->90511 90623->90530 90624->90511 90625->90527 90626->90535 90627->90532 90628->90534 90629->90517 90630->90538 90631->90544 90632->90547 90633->90549 90635 1e29b9 90634->90635 90638 1e29d4 90635->90638 90647 1e16ef 14 API calls __dosmaperr 90635->90647 90637 1e29f8 90648 1d8c50 41 API calls __fread_nolock 90637->90648 90638->90595 90640 1e2a03 90640->90595 90641->90591 90642->90593 90643->90598 90644->90594 90645->90599 90646->90603 90647->90637 90648->90640 90649->90608 90655 1e4283 LeaveCriticalSection 90650->90655 90652 1e2d13 90652->90512 90652->90513 90653->90613 90654->90616 90655->90652

                Executed Functions

                Function 001FA082 Relevance: 56.5, APIs: 16, Strings: 16, Instructions: 502sleepthreadCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 0 1fa082-1fa11b call 1b32d0 call 1a2cf0 call 1b63b0 call 283880 call 1b5220 11 1fa14d-1fa17f call 1b5340 CreateThread FindCloseChangeNotification 0->11 12 1fa11d-1fa148 call 1b5200 call 1b6290 call 1b5200 call 1b6290 0->12 18 1fa23d-1fa29d call 1b32d0 call 1a2cf0 11->18 19 1fa185 11->19 12->11 34 1fa2a3-1fa2ac 18->34 20 1fa190-1fa19c GetPEB 19->20 23 1fa1a0-1fa1bf 20->23 26 1fa20f-1fa211 23->26 27 1fa1c1-1fa1c6 23->27 26->23 27->26 30 1fa1c8-1fa1ce 27->30 33 1fa1d0-1fa1e6 30->33 36 1fa1e8-1fa1fb 33->36 37 1fa205-1fa20d 33->37 34->34 35 1fa2ae-1fa457 GetTempPathA call 283750 call 1b32d0 call 1a2cf0 call 1bace0 call 1bad80 call 1b62c0 call 1a2c90 * 3 call 1b32d0 call 1a2cf0 call 1bace0 call 1bad80 call 1a2c90 * 2 call 1b6090 call 284050 34->35 74 1fa46a-1fa47e call 1b6090 call 284050 35->74 75 1fa459-1fa467 call 283b20 35->75 36->36 39 1fa1fd-1fa203 36->39 37->26 37->33 39->37 41 1fa213-1fa237 Sleep 39->41 41->18 41->20 82 1fa492-1fa4a9 call 1b6090 CreateDirectoryA 74->82 83 1fa480-1fa48f call 283b20 74->83 75->74 88 1fa4bd-1fa4cf call 1b6090 CreateDirectoryA 82->88 89 1fa4ab-1fa4b7 call 1a8860 82->89 83->82 95 1fa54c-1fa564 call 1b6090 GetPEB 88->95 96 1fa4d1-1fa50b call 1f8650 88->96 89->88 94 1fd74a-1fd8b1 OutputDebugStringA call 1b3d50 * 6 call 1b63b0 call 268e70 call 1b32d0 call 1bac50 call 1b6090 CreateMutexA call 1a2c90 GetLastError 89->94 146 1fd99a-1fda00 call 1a2df0 * 3 94->146 147 1fd8b7-1fd93a Sleep call 1b32d0 call 1a2cf0 call 264ce0 94->147 104 1fa567-1fa586 95->104 105 1fa51e-1fa520 96->105 106 1fa50d-1fa518 96->106 108 1fa5df-1fa5e1 104->108 109 1fa588-1fa58d 104->109 110 1fa536-1fa539 105->110 111 1fa522 105->111 106->105 108->104 109->108 114 1fa58f-1fa59a 109->114 112 1fa541-1fa547 call 1a8860 110->112 111->110 115 1fa524-1fa52a 111->115 112->95 118 1fa5a0-1fa5b6 114->118 115->110 119 1fa52c-1fa52e 115->119 121 1fa5b8-1fa5cb 118->121 122 1fa5d5-1fa5dd 118->122 119->112 123 1fa530 119->123 121->121 126 1fa5cd-1fa5d3 121->126 122->108 122->118 123->110 124 1fa532-1fa534 123->124 124->110 124->112 126->122 165 1fda07-1fda44 call 1a2df0 146->165 166 1fda02 call 1a3fc0 146->166 160 1fd93c 147->160 161 1fd951-1fd98b Sleep shutdown closesocket 147->161 163 1fd940-1fd94f Sleep 160->163 161->146 167 1fd98d-1fd98f 161->167 163->161 163->163 166->165 167->146 170 1fd991-1fd998 Sleep 167->170 170->170
                APIs
                • CreateThread.KERNELBASE(00000000,00000000,Function_000C4EB0,00000000,00000000,00000000), ref: 001FA16B
                • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,00000000), ref: 001FA172
                • Sleep.KERNELBASE(00000001), ref: 001FA22E
                • GetTempPathA.KERNEL32(000000FC,?,00000000,?,?,?,?,?,00000000), ref: 001FA2BA
                  • Part of subcall function 00284050: GetFileAttributesA.KERNEL32(?,?,00000006,00000005,00000005,?), ref: 002840AC
                  • Part of subcall function 00284050: GetLastError.KERNEL32(?,?,00000006,00000005,00000005,?), ref: 002840B7
                • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,?,00000000,?,?,?,?,?,00000000), ref: 001FA4A5
                • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,?,00000000,?,?,?,?,?,00000000), ref: 001FA4CB
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001FA4E2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: Create$Directory$AttributesChangeCloseErrorFileFindLastNotificationPathSleepTempThreadUnothrow_t@std@@@__ehfuncinfo$??2@
                • String ID: (c2$2586$43t res tgy45yfhyrt$h0u$hXb2$hhc2$hxc2$jjj$t=2$t=2$t=2$t=2$t=2$v<Ea$v<Ea$v<Ea
                • API String ID: 2868636072-3305052068
                • Opcode ID: ca58999fecf37ec6be3a3115a0aeaa506136e26005fed9ae1b560eef9f77f686
                • Instruction ID: 87f49bc86eac743ddae5c8ff93e4cb68a4a4f84d23be57c63dd63bdb224edde3
                • Opcode Fuzzy Hash: ca58999fecf37ec6be3a3115a0aeaa506136e26005fed9ae1b560eef9f77f686
                • Instruction Fuzzy Hash: F422BBB0E00219DBCB15EFA8C856BEEBBB1AF55300F544198E9096B391DB346E44CF92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 002709B0 Relevance: 38.7, APIs: 19, Strings: 2, Instructions: 1989registrycomCOMMON
                Download Yara Rule
                APIs
                • CoInitializeEx.OLE32(00000000,00000002,61453C75,811C9DC5), ref: 00270A17
                • CoCreateInstance.OLE32(0030426C,00000000,00000001,0030B4FC,00000000), ref: 00270A51
                • RegCreateKeyExA.KERNELBASE(?,?,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 00270CF5
                • RegSetValueExA.KERNELBASE(?,?,00000000,00000004,00000001,00000004), ref: 00270EBB
                • RegCreateKeyExA.KERNELBASE(?,?,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 0027118A
                • RegSetValueExA.KERNELBASE(?,?,00000000,00000001,?,00000002), ref: 002712CE
                • RegOpenKeyExA.KERNELBASE(?,?,00000000,00020006,?), ref: 002714A7
                • RegSetValueExA.KERNELBASE(?,?,00000000,00000004,00000001,00000004), ref: 0027168B
                • RegSetValueExA.KERNELBASE(?,?,00000000,00000004,00000001,00000004), ref: 00271843
                • RegOpenKeyExA.KERNELBASE(?,?,00000000,00020006,?), ref: 002719EF
                • RegCreateKeyExA.KERNELBASE(?,?,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 00271E87
                • RegSetValueExA.KERNELBASE(?,?,00000000,00000004,00000001,00000004), ref: 00272058
                • RegSetValueExA.KERNELBASE(?,?,00000000,00000004,00000001,00000004), ref: 00272228
                • RegSetValueExA.KERNELBASE(?,?,00000000,00000004,00000001,00000004), ref: 002723F8
                • RegSetValueExA.KERNELBASE(?,?,00000000,00000004,00000001,00000004), ref: 002725A8
                • RegSetValueExA.KERNELBASE(?,?,00000000,00000004,00000001,00000004), ref: 00272758
                • RegSetValueExA.KERNELBASE(?,?,00000000,00000004,00000001,00000004), ref: 00272928
                • RegCloseKey.KERNELBASE(?), ref: 002729BE
                • CoUninitialize.OLE32(00000000), ref: 002729EA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: Value$Create$Open$CloseInitializeInstanceUninitialize
                • String ID: v<Ea$v<Ea
                • API String ID: 1434900157-2190929436
                • Opcode ID: 7307500e0c4c3a679a735b4157eaf05c66ed2a651ec19184f07a6d1eb23f25ff
                • Instruction ID: 2de7ba31bd82a7ffdf2cffa8d27071f0a50c675faeb8809da69ff40fbea3d068
                • Opcode Fuzzy Hash: 7307500e0c4c3a679a735b4157eaf05c66ed2a651ec19184f07a6d1eb23f25ff
                • Instruction Fuzzy Hash: 8C33C0B4D0525A8FCB19CF98C991AEEBBB1FF48310F244199D949BB350D7306A81CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001F9588 Relevance: 32.2, APIs: 9, Strings: 9, Instructions: 702librarythreadloaderCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 312 1f9588-1f95f5 call 289280 call 1d958c call 1b32d0 LoadLibraryA 320 1f95fb-1f96d0 call 1b2ed0 GetProcAddress 312->320 321 1f96f5-1f9754 call 1a8a00 call 1b63b0 call 2846e0 call 1a2c80 312->321 320->321 326 1f96d2-1f96ed 320->326 333 1f975a 321->333 334 1f9946-1f9980 call 1b8ad0 call 1f8650 321->334 326->321 335 1f9760-1f977b call 1b6090 * 2 333->335 343 1f9993-1f9995 334->343 344 1f9982-1f998d 334->344 348 1f977d-1f9783 335->348 349 1f97b9-1f97c8 335->349 346 1f99ab-1f99bc 343->346 347 1f9997 343->347 344->343 352 1f99c2-1f99eb call 1f8650 346->352 347->346 350 1f9999-1f999f 347->350 348->349 353 1f9785-1f97af call 1baf40 call 1b6090 * 2 348->353 349->335 351 1f97ca 349->351 350->346 354 1f99a1-1f99a3 350->354 351->334 361 1f99fe-1f9a00 352->361 362 1f99ed-1f99f8 352->362 353->349 374 1f97b1-1f97b7 353->374 354->352 357 1f99a5 354->357 357->346 360 1f99a7-1f99a9 357->360 360->346 360->352 364 1f9a16-1f9a19 361->364 365 1f9a02 361->365 362->361 367 1f9a21-1f9a8a GetProcessId call 1b32d0 call 1b5ff0 364->367 365->364 368 1f9a04-1f9a0a 365->368 382 1f9bd0-1f9c2e call 1b32d0 call 1b5ff0 367->382 383 1f9a90-1f9a97 call 273630 367->383 368->364 372 1f9a0c-1f9a0e 368->372 372->367 373 1f9a10 372->373 373->364 376 1f9a12-1f9a14 373->376 374->349 377 1f97cf-1f9936 call 1b32d0 call 1b2710 MessageBoxA 374->377 376->364 376->367 391 1f9938-1f993b 377->391 392 1f9940 377->392 402 1f9d08-1f9d66 call 1b32d0 call 1b5ff0 382->402 403 1f9c34-1f9c4d call 273340 call 272d20 call 272a20 382->403 393 1f9a9d-1f9aa9 GetPEB 383->393 394 1f9b27 call 273430 383->394 397 1fd9f4-1fda00 391->397 392->334 398 1f9ab0-1f9acf 393->398 399 1f9b2c-1f9b2e 394->399 400 1fda07-1fda44 call 1a2df0 397->400 401 1fda02 call 1a3fc0 397->401 404 1f9b23-1f9b25 398->404 405 1f9ad1-1f9ad6 398->405 399->382 407 1f9b34-1f9b3d GetPEB 399->407 401->400 429 1f9d68-1f9d6b call 2709b0 402->429 430 1f9d70-1f9dce call 1b32d0 call 1b5ff0 402->430 440 1f9c4f-1f9c53 403->440 441 1f9c66-1f9c6f GetPEB 403->441 404->398 405->404 411 1f9ad8-1f9ade 405->411 413 1f9b40-1f9b5f 407->413 416 1f9ae0-1f9af6 411->416 420 1f9baf-1f9bb1 413->420 421 1f9b61-1f9b66 413->421 417 1f9b19-1f9b21 416->417 418 1f9af8-1f9b0b 416->418 417->404 417->416 418->418 424 1f9b0d-1f9b13 418->424 420->413 421->420 426 1f9b68-1f9b6e 421->426 424->417 428 1f9bb3-1f9bcc 424->428 431 1f9b70-1f9b86 426->431 428->382 429->430 451 1f9dd5-1f9e6f call 1b32d0 call 1b5ff0 call 1f8650 430->451 452 1f9dd0 call 26caa0 430->452 435 1f9b88-1f9b9b 431->435 436 1f9ba5-1f9bad 431->436 435->435 439 1f9b9d-1f9ba3 435->439 436->420 436->431 439->428 439->436 440->441 444 1f9c55-1f9c57 440->444 442 1f9c72-1f9c91 441->442 446 1f9ce7-1f9ce9 442->446 447 1f9c93-1f9c98 442->447 444->441 445 1f9c59-1f9c60 call 273470 444->445 445->402 445->441 446->442 447->446 450 1f9c9a-1f9ca0 447->450 454 1f9ca2-1f9cb8 450->454 467 1f9e82-1f9e84 451->467 468 1f9e71-1f9e7c 451->468 452->451 457 1f9cdd-1f9ce5 454->457 458 1f9cba 454->458 457->446 457->454 461 1f9cc0-1f9cd3 458->461 461->461 463 1f9cd5-1f9cdb 461->463 463->457 465 1f9ceb-1f9d04 463->465 465->402 469 1f9e9a-1f9e9d 467->469 470 1f9e86 467->470 468->467 472 1f9ea5-1f9eb4 SetThreadExecutionState 469->472 470->469 471 1f9e88-1f9e8e 470->471 471->469 473 1f9e90-1f9e92 471->473 474 1f9ebd-1f9f18 call 1b32d0 GetPEB 472->474 475 1f9eb6-1f9ebb SetThreadExecutionState 472->475 473->472 476 1f9e94 473->476 480 1f9f20-1f9f3f 474->480 475->474 476->469 479 1f9e96-1f9e98 476->479 479->469 479->472 481 1f9f97-1f9f99 480->481 482 1f9f41-1f9f46 480->482 481->397 481->480 482->481 483 1f9f48-1f9f51 482->483 484 1f9f53-1f9f69 483->484 485 1f9f8d-1f9f95 484->485 486 1f9f6b 484->486 485->481 485->484 487 1f9f70-1f9f83 486->487 487->487 488 1f9f85-1f9f8b 487->488 488->485
                APIs
                • LoadLibraryA.KERNELBASE(00000000), ref: 001F95EB
                • GetProcAddress.KERNEL32(00000000,00000000), ref: 001F96C8
                • MessageBoxA.USER32(00000000,00000000,00000000,00000014), ref: 001F992D
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001F995F
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001F99C8
                • GetProcessId.KERNELBASE(0000A9BE,00000000,00000000,00000003,00000000,00000000,00000000,00000003,00000000,00000000), ref: 001F9A26
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001F9E46
                • SetThreadExecutionState.KERNEL32(80000041), ref: 001F9EB0
                • SetThreadExecutionState.KERNEL32(80000001), ref: 001F9EBB
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$ExecutionStateThread$AddressLibraryLoadMessageProcProcess
                • String ID: /*************/$0Dl$8e2$8e2$8e2$hb2$v<Ea$v<Ea$Mr
                • API String ID: 3049294613-24350104
                • Opcode ID: a06e8b99f8d0c1eb7a7b2ee1332eeeedc2b1e20a6fb4dcc0a038258be1f6e676
                • Instruction ID: 924fdd06020c5d8dedfc34a5d1b97a8fa2d98da051dfe91e7cc8a82062f14da5
                • Opcode Fuzzy Hash: a06e8b99f8d0c1eb7a7b2ee1332eeeedc2b1e20a6fb4dcc0a038258be1f6e676
                • Instruction Fuzzy Hash: 666247B4E002198FCB15DF98C995BAEBBB1EF48310F244199D909BB351DB70AE81CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001FDA50 Relevance: 7.7, APIs: 5, Instructions: 156sleepCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 823 1fda50-1fda63 GetCursorPos 824 1fda65-1fda71 GetCursorPos 823->824 825 1fdb38-1fdb41 GetPEB 824->825 826 1fda77-1fda7d 824->826 827 1fdb44-1fdb58 825->827 826->825 828 1fda83-1fda8f GetPEB 826->828 829 1fdb5a-1fdb5f 827->829 830 1fdba9-1fdbab 827->830 831 1fda90-1fdaa4 828->831 829->830 832 1fdb61-1fdb69 829->832 830->827 833 1fdaa6-1fdaab 831->833 834 1fdaf4-1fdaf6 831->834 836 1fdb70-1fdb83 832->836 833->834 835 1fdaad-1fdab3 833->835 834->831 837 1fdab5-1fdac8 835->837 838 1fdb85-1fdb98 836->838 839 1fdba2-1fdba7 836->839 840 1fdaed-1fdaf2 837->840 841 1fdaca 837->841 838->838 842 1fdb9a-1fdba0 838->842 839->830 839->836 840->834 840->837 844 1fdad0-1fdae3 841->844 842->839 843 1fdbad-1fdbd2 Sleep 842->843 843->824 844->844 845 1fdae5-1fdaeb 844->845 845->840 846 1fdaf8-1fdb2a Sleep GetCursorPos 845->846 846->825 847 1fdb2c-1fdb32 846->847 847->825 848 1fdbd7-1fdbe8 call 2877d0 847->848 851 1fdbee 848->851 852 1fdbea-1fdbec 848->852 853 1fdbf0-1fdc0d call 2877d0 851->853 852->853
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: Cursor$Sleep
                • String ID:
                • API String ID: 1847515627-0
                • Opcode ID: 7c4abb6c82b81b0509319ac4c6c0364c87b76071692872dc66002c24e38e995c
                • Instruction ID: 4b6047b712600c90a57992d19f2a058c2ece04be39a49c0010abd7aba1d6470a
                • Opcode Fuzzy Hash: 7c4abb6c82b81b0509319ac4c6c0364c87b76071692872dc66002c24e38e995c
                • Instruction Fuzzy Hash: B5519D35A04119CFCB18CF58D8D0EB9B7B2FF45754B2A4199DA45AB352D731ED06CB80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001B8DC0 Relevance: .1, Instructions: 128COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 06ebe4beb484f22a2609c0ccc7c45953d4e706c4f685085bf56cf8dbf2ee9ba3
                • Instruction ID: fb9668b5fac5ecaca169b5f9e0c8e482ecd827a21358d1f8e1293f4505b408cf
                • Opcode Fuzzy Hash: 06ebe4beb484f22a2609c0ccc7c45953d4e706c4f685085bf56cf8dbf2ee9ba3
                • Instruction Fuzzy Hash: C441B675A00518AFCB15DF6CD8809EEBBB9FF55360F50422AF928DB341DB319A50CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00264CE0 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 351networkCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 489 264ce0-264d26 call 1d2b89 492 264d2c-264d36 489->492 493 264e89-264e8b call 1d2524 489->493 494 264e90-264ee8 call 1d2524 492->494 495 264d3c-264dd2 call 1bac50 492->495 493->494 504 264eee 494->504 505 26527c-265290 494->505 502 264dd4-264e10 495->502 503 264e12-264e19 call 1c42a0 495->503 506 264e1e-264e88 call 1a2df0 call 1d2b9a call 1b63b0 call 1a9280 call 1a2df0 502->506 503->506 509 264ef4-264efc 504->509 511 264f37-264f80 setsockopt recv WSAGetLastError 509->511 512 264efe-264f31 call 265940 509->512 511->505 515 264f86-264f89 511->515 512->511 521 265267-265276 Sleep 512->521 518 264f8f-264f96 515->518 519 2651da-265203 call 1d3059 call 1f8650 515->519 522 2651c5-2651d5 recv 518->522 523 264f9c-264ff8 call 1b8dc0 recv 518->523 527 26525f-265261 Sleep 519->527 536 265205 519->536 521->505 521->509 522->527 533 265173-265180 523->533 534 264ffe-265019 recv 523->534 527->521 539 265182-26518e 533->539 540 2651ae-2651c0 533->540 534->533 538 26501f-26505a 534->538 543 265207-26520d 536->543 544 26520f-26525a call 1a9280 536->544 546 26505c-265061 538->546 547 2650cd-26512d call 1b63b0 call 1a8d50 call 2652a0 538->547 541 2651a4-2651ab call 1d38e3 539->541 542 265190-26519e 539->542 540->527 541->540 542->541 548 265291-265296 call 1d8c60 542->548 543->527 543->544 544->527 552 265077-265080 546->552 553 265063-265075 546->553 565 26512f-26513b 547->565 566 26515b-26516f 547->566 554 265086-2650cb setsockopt recv 552->554 558 265081 call 1b8dc0 552->558 553->554 554->547 558->554 567 265151-265158 call 1d38e3 565->567 568 26513d-26514b 565->568 566->533 567->566 568->548 568->567
                APIs
                • std::_Throw_Cpp_error.LIBCPMT ref: 00264E8B
                • std::_Throw_Cpp_error.LIBCPMT ref: 00264E9C
                • setsockopt.WS2_32(FFFFFFFF,0000FFFF,00001006,?,00000008), ref: 00264F56
                • recv.WS2_32(?,00000004,00000002), ref: 00264F71
                • WSAGetLastError.WS2_32 ref: 00264F75
                • recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 00264FF3
                • recv.WS2_32(00000000,0000000C,00000008), ref: 00265014
                • setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?), ref: 002650B0
                • recv.WS2_32(00000000,?,00000008), ref: 002650CB
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: recv$Cpp_errorThrow_setsockoptstd::_$ErrorLast
                • String ID: (c2$v<Ea
                • API String ID: 4262120464-1552078506
                • Opcode ID: 11f5f8c1f5d5aa027b01c86f1ce0dab49c26ca7e82250534641d2028d1faf4cf
                • Instruction ID: 10fb924f82e6c6b30ede95137aa153bf3e33ce43b1deaa9cc370b635d00fb913
                • Opcode Fuzzy Hash: 11f5f8c1f5d5aa027b01c86f1ce0dab49c26ca7e82250534641d2028d1faf4cf
                • Instruction Fuzzy Hash: 5BE1CBB0C04348DFEB11DFA8DC89BADBBB4FF15310F204259E854AB292D7B55985CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00264EB0 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 279networksleepCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 571 264eb0-264ee8 572 264eee 571->572 573 26527c-265290 571->573 574 264ef4-264efc 572->574 575 264f37-264f80 setsockopt recv WSAGetLastError 574->575 576 264efe-264f24 call 265940 574->576 575->573 578 264f86-264f89 575->578 579 264f29-264f31 576->579 580 264f8f-264f96 578->580 581 2651da-265203 call 1d3059 call 1f8650 578->581 579->575 582 265267-265276 Sleep 579->582 583 2651c5-2651d5 recv 580->583 584 264f9c-264ff8 call 1b8dc0 recv 580->584 587 26525f-265261 Sleep 581->587 594 265205 581->594 582->573 582->574 583->587 591 265173-265180 584->591 592 264ffe-265019 recv 584->592 587->582 596 265182-26518e 591->596 597 2651ae-2651c0 591->597 592->591 595 26501f-26505a 592->595 600 265207-26520d 594->600 601 26520f-26525a call 1a9280 594->601 602 26505c-265061 595->602 603 2650cd-26512d call 1b63b0 call 1a8d50 call 2652a0 595->603 598 2651a4-2651ab call 1d38e3 596->598 599 265190-26519e 596->599 597->587 598->597 599->598 604 265291-265296 call 1d8c60 599->604 600->587 600->601 601->587 608 265077-265080 602->608 609 265063-265075 602->609 621 26512f-26513b 603->621 622 26515b-26516f 603->622 610 265086-2650cb setsockopt recv 608->610 614 265081 call 1b8dc0 608->614 609->610 610->603 614->610 623 265151-265158 call 1d38e3 621->623 624 26513d-26514b 621->624 622->591 623->622 624->604 624->623
                APIs
                • setsockopt.WS2_32(FFFFFFFF,0000FFFF,00001006,?,00000008), ref: 00264F56
                • recv.WS2_32(?,00000004,00000002), ref: 00264F71
                • WSAGetLastError.WS2_32 ref: 00264F75
                • recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 00264FF3
                • recv.WS2_32(00000000,0000000C,00000008), ref: 00265014
                • setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?), ref: 002650B0
                • recv.WS2_32(00000000,?,00000008), ref: 002650CB
                  • Part of subcall function 00265940: WSAStartup.WS2_32 ref: 0026596A
                  • Part of subcall function 00265940: getaddrinfo.WS2_32(?,?,?,00326328), ref: 002659EC
                  • Part of subcall function 00265940: socket.WS2_32(?,?,?), ref: 00265A0D
                  • Part of subcall function 00265940: connect.WS2_32(00000000,002F6B31,?), ref: 00265A21
                  • Part of subcall function 00265940: closesocket.WS2_32(00000000), ref: 00265A2D
                  • Part of subcall function 00265940: freeaddrinfo.WS2_32(?,?,?,?,00326328,?,?), ref: 00265A3A
                  • Part of subcall function 00265940: WSACleanup.WS2_32 ref: 00265A40
                • recv.WS2_32(?,00000004,00000008), ref: 002651D3
                • __Xtime_get_ticks.LIBCPMT ref: 002651DA
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002651E8
                • Sleep.KERNEL32(00000001,00000000,?,00002710,00000000), ref: 00265261
                • Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 00265269
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: recv$Sleepsetsockopt$CleanupErrorLastStartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectfreeaddrinfogetaddrinfosocket
                • String ID: (c2
                • API String ID: 4125349891-1327015854
                • Opcode ID: 82a28b7c25f56a87e4a045a4df7c52dd68d4dcdac12f976040c79280ddf46861
                • Instruction ID: 7296d4ef6043de0973da9cd3ced8ff04540d721c754c6b45158ed6e2fc7e419d
                • Opcode Fuzzy Hash: 82a28b7c25f56a87e4a045a4df7c52dd68d4dcdac12f976040c79280ddf46861
                • Instruction Fuzzy Hash: F0B1BBB0D10318DFEB21DFA8DC4ABADBBB5BF55310F204219E454AB2E2D7B05985CB81
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001E2CC3 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 627 1e2cc3-1e2cf3 call 1e2a11 630 1e2d0e-1e2d1a call 1ee78a 627->630 631 1e2cf5-1e2d00 call 1e16dc 627->631 636 1e2d1c-1e2d31 call 1e16dc call 1e16ef 630->636 637 1e2d33-1e2d7c call 1e297c 630->637 638 1e2d02-1e2d09 call 1e16ef 631->638 636->638 647 1e2d7e-1e2d87 637->647 648 1e2de9-1e2df2 GetFileType 637->648 645 1e2fe8-1e2fec 638->645 652 1e2dbe-1e2de4 GetLastError call 1e1695 647->652 653 1e2d89-1e2d8d 647->653 649 1e2e3b-1e2e3e 648->649 650 1e2df4-1e2e25 GetLastError call 1e1695 CloseHandle 648->650 656 1e2e47-1e2e4d 649->656 657 1e2e40-1e2e45 649->657 650->638 666 1e2e2b-1e2e36 call 1e16ef 650->666 652->638 653->652 658 1e2d8f-1e2dbc call 1e297c 653->658 661 1e2e51-1e2e9f call 1ee6d5 656->661 662 1e2e4f 656->662 657->661 658->648 658->652 669 1e2ebe-1e2ee6 call 1e2726 661->669 670 1e2ea1-1e2ead call 1e2b8b 661->670 662->661 666->638 677 1e2eeb-1e2f2c 669->677 678 1e2ee8-1e2ee9 669->678 670->669 676 1e2eaf 670->676 679 1e2eb1-1e2eb9 call 1e8dbf 676->679 680 1e2f2e-1e2f32 677->680 681 1e2f4d-1e2f5b 677->681 678->679 679->645 680->681 685 1e2f34-1e2f48 680->685 682 1e2fe6 681->682 683 1e2f61-1e2f65 681->683 682->645 683->682 686 1e2f67-1e2f9a CloseHandle call 1e297c 683->686 685->681 690 1e2fce-1e2fe2 686->690 691 1e2f9c-1e2fc8 GetLastError call 1e1695 call 1ee89d 686->691 690->682 691->690
                APIs
                  • Part of subcall function 001E297C: CreateFileW.KERNELBASE(?,?,?,?,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 001E2999
                • GetLastError.KERNEL32 ref: 001E2DD7
                • __dosmaperr.LIBCMT ref: 001E2DDE
                • GetFileType.KERNELBASE(00000000), ref: 001E2DEA
                • GetLastError.KERNEL32 ref: 001E2DF4
                • __dosmaperr.LIBCMT ref: 001E2DFD
                • CloseHandle.KERNEL32(00000000), ref: 001E2E1D
                • CloseHandle.KERNEL32(?), ref: 001E2F6A
                • GetLastError.KERNEL32 ref: 001E2F9C
                • __dosmaperr.LIBCMT ref: 001E2FA3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                • String ID: H
                • API String ID: 4237864984-2852464175
                • Opcode ID: ac5b7c00e92bb00344f198e3120b7a4fadce35d211524d25e7f25f773c50c564
                • Instruction ID: 8a1056732baa0d8dc535bb2440da33c7a3c34cf471afb8cd8e2b4124af29088d
                • Opcode Fuzzy Hash: ac5b7c00e92bb00344f198e3120b7a4fadce35d211524d25e7f25f773c50c564
                • Instruction Fuzzy Hash: E2A16832A149949FCF19AF69DC61BBD3BB9AB16324F18015DF801EF3A1DB348906CB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001E8900 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 292COMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 696 1e8900-1e8910 697 1e892a-1e892c 696->697 698 1e8912-1e8925 call 1e16dc call 1e16ef 696->698 700 1e8c6c-1e8c79 call 1e16dc call 1e16ef 697->700 701 1e8932-1e8938 697->701 714 1e8c84 698->714 719 1e8c7f call 1d8c50 700->719 701->700 704 1e893e-1e8967 701->704 704->700 707 1e896d-1e8976 704->707 710 1e8978-1e898b call 1e16dc call 1e16ef 707->710 711 1e8990-1e8992 707->711 710->719 712 1e8c68-1e8c6a 711->712 713 1e8998-1e899c 711->713 718 1e8c87-1e8c8a 712->718 713->712 717 1e89a2-1e89a6 713->717 714->718 717->710 721 1e89a8-1e89bf 717->721 719->714 724 1e89f4-1e89fa 721->724 725 1e89c1-1e89c4 721->725 729 1e89ce-1e89e5 call 1e16dc call 1e16ef call 1d8c50 724->729 730 1e89fc-1e8a03 724->730 727 1e89ea-1e89f2 725->727 728 1e89c6-1e89cc 725->728 732 1e8a67-1e8a86 727->732 728->727 728->729 761 1e8b9f 729->761 733 1e8a07-1e8a25 call 1eb086 call 1eb00c * 2 730->733 734 1e8a05 730->734 735 1e8a8c-1e8a98 732->735 736 1e8b42-1e8b4b call 1f3bd1 732->736 765 1e8a27-1e8a3d call 1e16ef call 1e16dc 733->765 766 1e8a42-1e8a65 call 1e25ed 733->766 734->733 735->736 739 1e8a9e-1e8aa0 735->739 750 1e8bbc 736->750 751 1e8b4d-1e8b5f 736->751 739->736 743 1e8aa6-1e8ac7 739->743 743->736 747 1e8ac9-1e8adf 743->747 747->736 752 1e8ae1-1e8ae3 747->752 754 1e8bc0-1e8bd6 ReadFile 750->754 751->750 756 1e8b61-1e8b70 GetConsoleMode 751->756 752->736 757 1e8ae5-1e8b08 752->757 759 1e8bd8-1e8bde 754->759 760 1e8c34-1e8c3f GetLastError 754->760 756->750 762 1e8b72-1e8b76 756->762 757->736 764 1e8b0a-1e8b20 757->764 759->760 769 1e8be0 759->769 767 1e8c58-1e8c5b 760->767 768 1e8c41-1e8c53 call 1e16ef call 1e16dc 760->768 763 1e8ba2-1e8bac call 1eb00c 761->763 762->754 770 1e8b78-1e8b90 ReadConsoleW 762->770 763->718 764->736 776 1e8b22-1e8b24 764->776 765->761 766->732 773 1e8b98-1e8b9e call 1e1695 767->773 774 1e8c61-1e8c63 767->774 768->761 780 1e8be3-1e8bf5 769->780 771 1e8b92 GetLastError 770->771 772 1e8bb1-1e8bba 770->772 771->773 772->780 773->761 774->763 776->736 783 1e8b26-1e8b3d 776->783 780->763 787 1e8bf7-1e8bfb 780->787 783->736 791 1e8bfd-1e8c0d call 1e8612 787->791 792 1e8c14-1e8c21 787->792 801 1e8c10-1e8c12 791->801 794 1e8c2d-1e8c32 call 1e8458 792->794 795 1e8c23 call 1e8769 792->795 802 1e8c28-1e8c2b 794->802 795->802 801->763 802->801
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID: 0-3907804496
                • Opcode ID: bbfe466201b8afee3eb381963ff292d11cdb36307a0b1718799d0f552a9f8495
                • Instruction ID: 75e2ac60a65e7570aaa4a58e3ee7d201195b3ee7b3fa8bffc0c8e658cfe6e660
                • Opcode Fuzzy Hash: bbfe466201b8afee3eb381963ff292d11cdb36307a0b1718799d0f552a9f8495
                • Instruction Fuzzy Hash: 87B139B0E04AC8AFDB11DF9AC881BBEBBB5BF59314F144158E408A7392DB709D41CB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00265940 Relevance: 12.1, APIs: 8, Instructions: 92networkCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 804 265940-265972 WSAStartup 805 265a46-265a4f 804->805 806 265978-2659a2 call 2877d0 * 2 804->806 811 2659a4-2659a8 806->811 812 2659ae-2659f4 getaddrinfo 806->812 811->805 811->812 813 2659f6-2659fc 812->813 814 265a40 WSACleanup 812->814 815 265a54-265a5e freeaddrinfo 813->815 816 2659fe 813->816 814->805 815->814 817 265a60-265a68 815->817 818 265a04-265a18 socket 816->818 818->814 819 265a1a-265a2a connect 818->819 820 265a50 819->820 821 265a2c-265a34 closesocket 819->821 820->815 821->818 822 265a36-265a3a freeaddrinfo 821->822 822->814
                APIs
                • WSAStartup.WS2_32 ref: 0026596A
                • getaddrinfo.WS2_32(?,?,?,00326328), ref: 002659EC
                • socket.WS2_32(?,?,?), ref: 00265A0D
                • connect.WS2_32(00000000,002F6B31,?), ref: 00265A21
                • closesocket.WS2_32(00000000), ref: 00265A2D
                • freeaddrinfo.WS2_32(?,?,?,?,00326328,?,?), ref: 00265A3A
                • WSACleanup.WS2_32 ref: 00265A40
                • freeaddrinfo.WS2_32(?,?,?,?,00326328,?,?), ref: 00265A55
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: freeaddrinfo$CleanupStartupclosesocketconnectgetaddrinfosocket
                • String ID:
                • API String ID: 58224237-0
                • Opcode ID: 55a48f378cf99625307b610a43d224e381214a66ffbfe4ef6b149f0a43ac5632
                • Instruction ID: 23b8f9213e43600dbb0da717df4ebe04380271c0a6dc2d899c68189ff5ceeab1
                • Opcode Fuzzy Hash: 55a48f378cf99625307b610a43d224e381214a66ffbfe4ef6b149f0a43ac5632
                • Instruction Fuzzy Hash: 8A31B0725057119BD7209F68EC88A6ABBE5FF84774F10476DF8A9922E0D330AC54CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001D3C23 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • ___scrt_release_startup_lock.LIBCMT ref: 001D3C73
                • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 001D3C87
                • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 001D3CAD
                • ___scrt_uninitialize_crt.LIBCMT ref: 001D3CF0
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: ___scrt_is_nonwritable_in_current_image$___scrt_release_startup_lock___scrt_uninitialize_crt
                • String ID:
                • API String ID: 3089971210-0
                • Opcode ID: 273f18b488bf60f3e0db17840ac3236cb01564e07e1e0e56932628cbaa4acc54
                • Instruction ID: 25524e1dc6f6621982aa016abaca55028d701e34d87ed438d973e82b46062e03
                • Opcode Fuzzy Hash: 273f18b488bf60f3e0db17840ac3236cb01564e07e1e0e56932628cbaa4acc54
                • Instruction Fuzzy Hash: D7214672110A51ABCB353B76AC0BA6E77959F62BA0F20002BF4613B3D2CB354F409612
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00273430 Relevance: 4.5, APIs: 3, Instructions: 28sleepCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 885 273430-273457 GetTickCount64 Sleep GetTickCount64 886 273459-27345e 885->886 887 273468-27346f 885->887 886->887 888 273460-273467 886->888
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: Count64Tick$Sleep
                • String ID:
                • API String ID: 417912201-0
                • Opcode ID: e5c3f3a7802ea171017ea611e5c98e195bf89337cabcb91e514377260ffb4259
                • Instruction ID: f97ab6e9b80a0b674d1df551c38f65511f7a3099e8b17c74107971280c1b7c45
                • Opcode Fuzzy Hash: e5c3f3a7802ea171017ea611e5c98e195bf89337cabcb91e514377260ffb4259
                • Instruction Fuzzy Hash: C2E0CD7274020957DA116F7DBC8D639B798F7D5773B14427BED0CC2250DC228C26B566
                Uniqueness

                Uniqueness Score: -1.00%

                Function 002846E0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 122COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 889 2846e0-2847ca call 1bae80 call 1d9810 894 2847cc-284802 call 1dd5e6 call 1d939b call 1dd5e6 889->894 895 284841-284862 call 1a2df0 889->895 904 284804-28480b 894->904 905 284815-28481c call 1b8dc0 894->905 906 28480d 904->906 907 28480f-284813 904->907 910 284821 905->910 906->907 909 284824-28482a 907->909 911 28482c 909->911 912 28482e-284839 call 1e208f call 1dd098 909->912 910->909 911->912 916 28483e 912->916 916->895
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: __fread_nolock
                • String ID: v<Ea
                • API String ID: 2638373210-4124759590
                • Opcode ID: 8740f70b0e89d49ff8bf9258a0b705977b7f8cd8078387a5003930a8796f815c
                • Instruction ID: ebbab229dc83a4476ad5bfd6c55343632dca29f7c24f36e58c12fc4f9af0101c
                • Opcode Fuzzy Hash: 8740f70b0e89d49ff8bf9258a0b705977b7f8cd8078387a5003930a8796f815c
                • Instruction Fuzzy Hash: C35139B5D002489BCB10EF98D981BEEBBF4EF59710F244159E814BB381D771AE41CBA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001E8DEF Relevance: 3.1, APIs: 2, Instructions: 63COMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 917 1e8def-1e8e03 call 1ee92e 920 1e8e09-1e8e11 917->920 921 1e8e05-1e8e07 917->921 923 1e8e1c-1e8e1f 920->923 924 1e8e13-1e8e1a 920->924 922 1e8e57-1e8e77 call 1ee89d 921->922 933 1e8e89 922->933 934 1e8e79-1e8e87 call 1e16b8 922->934 927 1e8e3d-1e8e4d call 1ee92e FindCloseChangeNotification 923->927 928 1e8e21-1e8e25 923->928 924->923 926 1e8e27-1e8e3b call 1ee92e * 2 924->926 926->921 926->927 927->921 936 1e8e4f-1e8e55 GetLastError 927->936 928->926 928->927 938 1e8e8b-1e8e8e 933->938 934->938 936->922
                APIs
                • FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,001E8CD6,00000000,CF830579,00317178,0000000C,001E8D92,001DD06D,?), ref: 001E8E45
                • GetLastError.KERNEL32(?,001E8CD6,00000000,CF830579,00317178,0000000C,001E8D92,001DD06D,?), ref: 001E8E4F
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: ChangeCloseErrorFindLastNotification
                • String ID:
                • API String ID: 1687624791-0
                • Opcode ID: d12629ed9da1f71814002f0234a8011bdeed74058da325262f018cc618750ff3
                • Instruction ID: 49b703d19bccbe7cd4c907fabaea17f8c1a46651e26cbe5c8c9ebc22b091a739
                • Opcode Fuzzy Hash: d12629ed9da1f71814002f0234a8011bdeed74058da325262f018cc618750ff3
                • Instruction Fuzzy Hash: 46118E33600EE05AC6262376BC49B7E67C98B96B38F29061DF81C971C2EF319C81C190
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001E250C Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 942 1e250c-1e2524 call 1ee92e 945 1e253a-1e2550 SetFilePointerEx 942->945 946 1e2526-1e252d 942->946 948 1e2565-1e256f 945->948 949 1e2552-1e2563 GetLastError call 1e16b8 945->949 947 1e2534-1e2538 946->947 950 1e258b-1e258e 947->950 948->947 952 1e2571-1e2586 948->952 949->947 952->950
                APIs
                • SetFilePointerEx.KERNELBASE(00000000,00000000,00316E30,001D2B4E,00000002,001D2B4E,00000000,?,?,?,001E2616,00000000,?,001D2B4E,00000002,00316E30), ref: 001E2548
                • GetLastError.KERNEL32(001D2B4E,?,?,?,001E2616,00000000,?,001D2B4E,00000002,00316E30,00000000,001D2B4E,00000000,00316E30,0000000C,001DD60E), ref: 001E2555
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: ErrorFileLastPointer
                • String ID:
                • API String ID: 2976181284-0
                • Opcode ID: 23d08c79a6c3eca09a79e06155423c650215eca745b614a3f1b96a2ec7fbca62
                • Instruction ID: c2ecad8b1b2a22258830ee5d4ae52e4a60b3a5ea40154843f89080ea8b2e9165
                • Opcode Fuzzy Hash: 23d08c79a6c3eca09a79e06155423c650215eca745b614a3f1b96a2ec7fbca62
                • Instruction Fuzzy Hash: 9801C832610555AFCF098F56EC25DAE3B6DEF85330F240218F81197291EB71E941CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001D8DF2 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 954 1d8df2-1d8dff 955 1d8e29-1d8e3d call 1ea1db 954->955 956 1d8e01-1d8e24 call 1d8bd3 954->956 962 1d8e3f 955->962 963 1d8e42-1d8e4b call 1e25cf 955->963 961 1d8f90-1d8f92 956->961 962->963 965 1d8e50-1d8e5f 963->965 966 1d8e6f-1d8e78 965->966 967 1d8e61 965->967 970 1d8e8c-1d8ec0 966->970 971 1d8e7a-1d8e87 966->971 968 1d8f39-1d8f3e 967->968 969 1d8e67-1d8e69 967->969 972 1d8f8e-1d8f8f 968->972 969->966 969->968 974 1d8f1d-1d8f29 970->974 975 1d8ec2-1d8ecc 970->975 973 1d8f8c 971->973 972->961 973->972 976 1d8f2b-1d8f32 974->976 977 1d8f40-1d8f43 974->977 978 1d8ece-1d8eda 975->978 979 1d8ef3-1d8eff 975->979 976->968 980 1d8f46-1d8f4e 977->980 978->979 981 1d8edc-1d8eee call 1d915e 978->981 979->977 982 1d8f01-1d8f1b call 1d9309 979->982 983 1d8f8a 980->983 984 1d8f50-1d8f56 980->984 981->972 982->980 983->973 988 1d8f6e-1d8f72 984->988 989 1d8f58-1d8f6c call 1d8f93 984->989 992 1d8f85-1d8f87 988->992 993 1d8f74-1d8f82 call 1f8650 988->993 989->972 992->983 993->992
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e8080f48df3aa79a4d5c03e33d0338291e66c0597f77789de7d520bf31942726
                • Instruction ID: 063816e701be10624dfa2071127851b5cad3942af035439b71efeb05ac885f82
                • Opcode Fuzzy Hash: e8080f48df3aa79a4d5c03e33d0338291e66c0597f77789de7d520bf31942726
                • Instruction Fuzzy Hash: AF51C471A00214AFDF14DF58C885AAD7BB6EF99324F29815AF8099B352D731DE41CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001EAC71 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 997 1eac71-1eac97 call 1eaa47 1000 1eac99-1eacab call 1e2ca3 997->1000 1001 1eacf0-1eacf3 997->1001 1003 1eacb0-1eacb5 1000->1003 1003->1001 1004 1eacb7-1eacef 1003->1004
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: __wsopen_s
                • String ID:
                • API String ID: 3347428461-0
                • Opcode ID: 330aadf0607906bfff930cff6822c1ef3da1a21549bfdf57a53ff053c05d6370
                • Instruction ID: fb98106ffc6322b58b0b1a8d95cb4498343d2bb282a4fdd9d40b198dc6a6e48d
                • Opcode Fuzzy Hash: 330aadf0607906bfff930cff6822c1ef3da1a21549bfdf57a53ff053c05d6370
                • Instruction Fuzzy Hash: A9114571A0024AAFCB05DF59E941A9F7BF8EF48314F114069F809AB212D730EA11CBA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001D3BE1 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                Download Yara Rule
                APIs
                • ___scrt_release_startup_lock.LIBCMT ref: 001D3C73
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: ___scrt_release_startup_lock
                • String ID:
                • API String ID: 1340410277-0
                • Opcode ID: 01188f6d95d7aeff6a392f970752cd965f913b4d469be6fafe7d352c8d578577
                • Instruction ID: 93d12de82955b13ce1e40368e2d2a297c56a58ecb2d05d23f68462944947c7cf
                • Opcode Fuzzy Hash: 01188f6d95d7aeff6a392f970752cd965f913b4d469be6fafe7d352c8d578577
                • Instruction Fuzzy Hash: C201F231641664ABCB21B7F55C077EE66665F35718F14001BF0A07B383CB304B80D662
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A32D0 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • Concurrency::cancel_current_task.LIBCPMT ref: 001A331F
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: Concurrency::cancel_current_task
                • String ID:
                • API String ID: 118556049-0
                • Opcode ID: 88e0f75f83d5f9e69285ef2088a1dfdc1055322beeb667a90db4e8c6ac7f301f
                • Instruction ID: d087e1d161fdd4d9aa454510caadfc3fe8587af2e61bb15ca0562fd42ad40bb3
                • Opcode Fuzzy Hash: 88e0f75f83d5f9e69285ef2088a1dfdc1055322beeb667a90db4e8c6ac7f301f
                • Instruction Fuzzy Hash: DFF0B4761001049BCF146F64D4169E9B3E8EF253A1710097BF8ADC7612EB36DA40C791
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001EB086 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • RtlAllocateHeap.NTDLL(00000000,00000001,?,?,001D4B2F,?,?,76A923A0,?,?,001A3522,?,?), ref: 001EB0B8
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: AllocateHeap
                • String ID:
                • API String ID: 1279760036-0
                • Opcode ID: ca1c16a33b55099fd9cd37331fe4a0027fe622b2522fef4af20a1d9b19f002fc
                • Instruction ID: f8eed5354d59d990d8c07b69395634edd21c4a0d2e9296c1002a7858688f7462
                • Opcode Fuzzy Hash: ca1c16a33b55099fd9cd37331fe4a0027fe622b2522fef4af20a1d9b19f002fc
                • Instruction Fuzzy Hash: C9E06531108ED16BE63527679C45B5F3669AF413B0F150231FD65970E1DF61EC0086E1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001E297C Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • CreateFileW.KERNELBASE(?,?,?,?,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 001E2999
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: 987b8ab738f2568e8b2f84dbc2a7ca97bb2103b6173919ce6320a31803b99a11
                • Instruction ID: 7c6d08c718e0431ed21dff6532349e5cb39921f2dc94293e1d7596be72b1c80b
                • Opcode Fuzzy Hash: 987b8ab738f2568e8b2f84dbc2a7ca97bb2103b6173919ce6320a31803b99a11
                • Instruction Fuzzy Hash: 76D06C3200010DBFDF028F84EC0AEDA3BAAFB48754F014010BA1C56120C732E821EB91
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 0023CBF0 Relevance: 172.9, APIs: 6, Strings: 91, Instructions: 3171stringCOMMON
                Download Yara Rule
                APIs
                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,?), ref: 0023CD44
                • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 0023CE42
                • GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 0023D035
                • CreateDirectoryA.KERNEL32(?,00000000), ref: 0023F796
                  • Part of subcall function 00284050: GetFileAttributesA.KERNEL32(?,?,00000006,00000005,00000005,?), ref: 002840AC
                  • Part of subcall function 00284050: GetLastError.KERNEL32(?,?,00000006,00000005,00000005,?), ref: 002840B7
                • CreateDirectoryA.KERNEL32(?,00000000), ref: 0023FA7D
                • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00240FAE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: CreateDirectoryPrivateProfile$AttributesErrorFileFolderLastNamesPathSectionStringlstrlen
                • String ID: XO4$cannot use operator[] with a string argument with $cannot use push_back() with $v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea
                • API String ID: 2833034228-769388876
                • Opcode ID: f52f8c2eaafdae72fc268df55ba6506d5cc8bddc7736d6d50beec6e3a52caff3
                • Instruction ID: c17e9149a90dd02f0565d3c83501c9b1d5a4dda22922155b333f55eae922283e
                • Opcode Fuzzy Hash: f52f8c2eaafdae72fc268df55ba6506d5cc8bddc7736d6d50beec6e3a52caff3
                • Instruction Fuzzy Hash: 1393BBB4D152A98ADB65CF28C995BEDBBB1AF59304F0082DAD84DB7241DB702F84CF41
                Uniqueness

                Uniqueness Score: -1.00%

                Function 002509B0 Relevance: 123.0, APIs: 2, Strings: 66, Instructions: 3964COMMON
                Download Yara Rule
                APIs
                • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?,?), ref: 00250B13
                  • Part of subcall function 002633B0: FindFirstFileA.KERNEL32(00000000,?,00000000), ref: 002634EF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: FileFindFirstFolderPath
                • String ID: cannot use operator[] with a string argument with $cannot use push_back() with $v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea
                • API String ID: 2195519125-3470562539
                • Opcode ID: b6c77dec6ee014f72675538662d70b19720f4a46754904d9c734e149b2fa3b1a
                • Instruction ID: 78ad82a378d62a0a00dc7c4528d2afae726a31c29be5f49b23038b64ea8d9bec
                • Opcode Fuzzy Hash: b6c77dec6ee014f72675538662d70b19720f4a46754904d9c734e149b2fa3b1a
                • Instruction Fuzzy Hash: FDB31FB4D152A98BDB65CF68C994BEDBBB0AF59304F1082D9D848B7241DB702F84CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001FA61F Relevance: 96.4, APIs: 19, Strings: 35, Instructions: 1929sleepsynchronizationthreadCOMMON
                Download Yara Rule
                APIs
                • CreateMutexA.KERNEL32(00000000,00000001,00000000), ref: 001FA69D
                • GetLastError.KERNEL32 ref: 001FA6B2
                • Sleep.KERNEL32(00000529), ref: 001FA6D5
                • Sleep.KERNEL32(0000002F), ref: 001FA756
                • shutdown.WS2_32(00000002), ref: 001FA774
                • closesocket.WS2_32 ref: 001FA780
                • WSACleanup.WS2_32 ref: 001FA786
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001FA844
                • Sleep.KERNEL32(00000000), ref: 001FAAF1
                • GetModuleHandleA.KERNEL32(ntdll.dll,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00302AF8,00000001), ref: 001FB082
                • GetProcAddress.KERNEL32(00000000,00000000), ref: 001FB08A
                • GetCurrentProcess.KERNEL32(00000000), ref: 001FB098
                  • Part of subcall function 002649C0: Sleep.KERNEL32(00000065), ref: 00264A37
                • OutputDebugStringA.KERNEL32(Dk43l_dwmk438*,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 001FB0AC
                • OutputDebugStringA.KERNEL32(ewetwertyer eytdryrtdy,00000000,00000000), ref: 001FB1A3
                • OutputDebugStringA.KERNEL32(td ydrthrhfty,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001FB463
                • OutputDebugStringA.KERNEL32(er ert 346 34634 6ch,003029DA,?,?), ref: 001FC55C
                • CreateThread.KERNEL32(00000000,00000000,0020A8A0,00000000,00000000,00000000), ref: 001FC57D
                • CreateThread.KERNEL32(00000000,00000000,00209F60,00000000,00000000,00000000), ref: 001FC591
                • WaitForSingleObject.KERNEL32(?,00000000,?,00000000,00000000,?,?), ref: 001FC811
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: DebugOutputSleepString$Create$Thread$AddressCleanupCurrentErrorHandleLastModuleMutexObjectProcProcessSingleUnothrow_t@std@@@Wait__ehfuncinfo$??2@closesocketshutdown
                • String ID: 2586$4$Dk43l_dwmk438*$\=2$\=2$\=2$\=2$\=2$\=2$er ert 346 34634 6ch$ewetwertyer eytdryrtdy$hc2$hc2$h-0$jjj$jjj$ntdll.dll$td ydrthrhfty$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea
                • API String ID: 3508711938-3638927473
                • Opcode ID: bf20c04780d26724534bc8f58ba1d62a05518e35c0a4073354fdf26d2284536f
                • Instruction ID: df4885eeb5bf2a73bcdb4c3c1a67232b1d660b0a757975c7afeb0b0cdbcc1233
                • Opcode Fuzzy Hash: bf20c04780d26724534bc8f58ba1d62a05518e35c0a4073354fdf26d2284536f
                • Instruction Fuzzy Hash: 342310B4D052698BCB25DFA8C995BEEBBB4AF19300F1081D9D519B7381DB702B84CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0022E120 Relevance: 78.6, APIs: 13, Strings: 31, Instructions: 1609registryCOMMON
                Download Yara Rule
                APIs
                • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0022E35B
                • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0022E38F
                • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?,?,?,?,?), ref: 0022E3B5
                • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,?,?), ref: 0022E54C
                • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,?,00000104), ref: 0022E7D3
                • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,?,00000104), ref: 0022E8C0
                • RegQueryValueExA.ADVAPI32(?,?,00000000,00000003,?,?), ref: 0022EA01
                • RegQueryValueExA.ADVAPI32(?,?,00000000,00000003,?,00000200), ref: 0022EAEB
                • RegQueryValueExA.ADVAPI32(?,?,00000000,00000003,?,00000200), ref: 0022EBD5
                • RegQueryValueExA.ADVAPI32(?,?,00000000,00000003,?,?), ref: 0022ECBF
                • RegCloseKey.ADVAPI32(?), ref: 0022FDBB
                • RegEnumKeyA.ADVAPI32(?,00000001,?,00000104), ref: 0022FDF1
                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0022FE05
                  • Part of subcall function 001D51EB: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,76A923A0,?,001D1CF9,?,003169D8,76A923A0,?,76A923A0,-00326880), ref: 001D524B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: QueryValue$CloseEnumOpen$ExceptionRaise
                • String ID: 8d2$cannot use operator[] with a string argument with $cannot use push_back() with $v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea
                • API String ID: 2021570681-3941151722
                • Opcode ID: 0b270b2c43711ae6ae1d71bedb9cd91d36a7b0c129988bcc40f1b0faa322b73f
                • Instruction ID: d56b957fdcea276c614e31bd05e0cd5149992a0be3868dd4cd82fd2fd91cbbf9
                • Opcode Fuzzy Hash: 0b270b2c43711ae6ae1d71bedb9cd91d36a7b0c129988bcc40f1b0faa322b73f
                • Instruction Fuzzy Hash: E10301B4D042699BDB65CF68CD84BEDBBB4AF59304F1082DAE849B7241DB706B84CF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 002361D0 Relevance: 75.6, APIs: 4, Strings: 38, Instructions: 2129stringCOMMON
                Download Yara Rule
                APIs
                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,?), ref: 00236324
                • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 00236422
                • GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 00236618
                • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00238931
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: PrivateProfile$FolderNamesPathSectionStringlstrlen
                • String ID: XO4$cannot use operator[] with a string argument with $cannot use push_back() with $v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v1
                • API String ID: 1311570089-1867026944
                • Opcode ID: cb3367ef01be13cc712656bc55abd27d907469451c2bc9a3509c3b5fe5482d6c
                • Instruction ID: 3a7bd2ba57e275fca2c8bac22b78addf40bfd010b6f997d2fb6b16a4dedefd4c
                • Opcode Fuzzy Hash: cb3367ef01be13cc712656bc55abd27d907469451c2bc9a3509c3b5fe5482d6c
                • Instruction Fuzzy Hash: 824321B0D152698BDB65CF28C884BEDBBB5AF59304F1482D9E448B7242DB706F84CF51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00268E70 Relevance: 74.8, APIs: 1, Strings: 40, Instructions: 3030COMMON
                Download Yara Rule
                APIs
                • Concurrency::cancel_current_task.LIBCPMT ref: 0026C61E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: Concurrency::cancel_current_task
                • String ID: Pe2$Pe2$cannot compare iterators of different containers$cannot get value$cannot use operator[] with a string argument with $type must be object, but is $v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea
                • API String ID: 118556049-1021030959
                • Opcode ID: 148b7cc3828a81be9968974b1b18af9d9508d9f34ab3379740832fdb5d780df8
                • Instruction ID: ce1a2bbe812d36a3741fe2c6fc2d85f43c5afaa8fcbd357c927a5f3829d00740
                • Opcode Fuzzy Hash: 148b7cc3828a81be9968974b1b18af9d9508d9f34ab3379740832fdb5d780df8
                • Instruction Fuzzy Hash: BC7331B0D142698BDB25DF68C894BEDBBB4AF59300F1481D9E449A7282DB716FC4CF81
                Uniqueness

                Uniqueness Score: -1.00%

                Function 002749B0 Relevance: 64.1, APIs: 31, Strings: 2, Instructions: 6337fileCOMMON
                Download Yara Rule
                APIs
                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,002F80C7,000000FF), ref: 00274A1C
                • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00274A43
                • CreateDirectoryA.KERNEL32(?,00000000), ref: 00274D09
                • CreateDirectoryA.KERNEL32(?,00000000), ref: 0027506B
                • CreateDirectoryA.KERNEL32(?,00000000), ref: 00275712
                • CreateDirectoryA.KERNEL32(?,00000000), ref: 002759D3
                • CreateDirectoryA.KERNEL32(?,00000000), ref: 002761A7
                • CreateDirectoryA.KERNEL32(?,00000000), ref: 0027658D
                • CreateDirectoryA.KERNEL32(?,00000000), ref: 00276D42
                • CreateDirectoryA.KERNEL32(?,00000000), ref: 00277003
                • CreateDirectoryA.KERNEL32(?,00000000), ref: 002776CE
                • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0027779F
                • CreateDirectoryA.KERNEL32(?,00000000), ref: 00277AC2
                • CreateDirectoryA.KERNEL32(?,00000000), ref: 00277E2D
                • CopyFileA.KERNEL32(?,00000000,00000000), ref: 00277EFE
                • CreateDirectoryA.KERNEL32(?,00000000), ref: 002781E9
                • CreateDirectoryA.KERNEL32(?,00000000), ref: 00278479
                • CreateDirectoryA.KERNEL32(?,00000000), ref: 0027862C
                • CreateDirectoryA.KERNEL32(?,00000000), ref: 00278906
                • CreateDirectoryA.KERNEL32(?,00000000), ref: 00278CEC
                • CreateDirectoryA.KERNEL32(?,00000000), ref: 002790A1
                • CreateDirectoryA.KERNEL32(?,00000000), ref: 00279254
                • CreateDirectoryA.KERNEL32(?,00000000), ref: 0027952E
                • CreateDirectoryA.KERNEL32(?,00000000), ref: 00279914
                • CreateDirectoryA.KERNEL32(?,00000000), ref: 00277363
                  • Part of subcall function 0027D2B0: CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0027D906
                  • Part of subcall function 0027D2B0: GetLastError.KERNEL32 ref: 0027D950
                • CreateDirectoryA.KERNEL32(?,00000000), ref: 002769F8
                  • Part of subcall function 0027D2B0: FindNextFileA.KERNEL32(00000000,?), ref: 0027D91C
                  • Part of subcall function 0027D2B0: FindClose.KERNEL32(00000000), ref: 0027D92C
                  • Part of subcall function 0027D2B0: GetLastError.KERNEL32 ref: 0027D932
                • CreateDirectoryA.KERNEL32(?,00000000), ref: 00275D1A
                  • Part of subcall function 0027D2B0: CreateDirectoryA.KERNEL32(00000000,00000000,0000002E,0000002F,?,?,?,?,00302B0C,00000001,0000002E,0000002F,?,002F83D1,001B2233,002F83D1), ref: 0027D78B
                • CreateDirectoryA.KERNEL32(?,00000000), ref: 00275ECD
                • CreateDirectoryA.KERNEL32(?,00000000), ref: 002753CB
                  • Part of subcall function 0027D2B0: FindFirstFileA.KERNEL32(00000000,?), ref: 0027D4BB
                  • Part of subcall function 00284050: GetFileAttributesA.KERNEL32(?,?,00000006,00000005,00000005,?), ref: 002840AC
                  • Part of subcall function 00284050: GetLastError.KERNEL32(?,?,00000006,00000005,00000005,?), ref: 002840B7
                  • Part of subcall function 00284050: std::_Throw_Cpp_error.LIBCPMT ref: 002840FF
                  • Part of subcall function 00284050: std::_Throw_Cpp_error.LIBCPMT ref: 00284110
                • CreateDirectoryA.KERNEL32(?,00000000), ref: 00279D4C
                • CopyFileA.KERNEL32(?,00000000,00000000), ref: 00279EA3
                  • Part of subcall function 0027B7E0: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,?), ref: 0027B84D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: CreateDirectory$File$Copy$ErrorFindFolderLastPath$Cpp_errorThrow_std::_$AttributesCloseFirstNext
                • String ID: v<Ea$v<Ea
                • API String ID: 901091077-2190929436
                • Opcode ID: 40d2a4cf63102bde02cdc62dbf30a860a0c94a7ee4b516f4e038770c7bdd3b84
                • Instruction ID: d1ab158f154bd6b3f8bef25232c55fe7e57d54417c6cc452c37560d42d828d32
                • Opcode Fuzzy Hash: 40d2a4cf63102bde02cdc62dbf30a860a0c94a7ee4b516f4e038770c7bdd3b84
                • Instruction Fuzzy Hash: 19F303B4D1525E8BDB15DFA8C981AEEBBB0AF19300F144199D949B7341E7702F84CFA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00238A80 Relevance: 59.6, APIs: 4, Strings: 29, Instructions: 1876stringCOMMON
                Download Yara Rule
                APIs
                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,?), ref: 00238C78
                • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 00238D85
                • GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 00238F78
                • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0023AD4D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: PrivateProfile$FolderNamesPathSectionStringlstrlen
                • String ID: cannot use operator[] with a string argument with $cannot use push_back() with $v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea
                • API String ID: 1311570089-2661975114
                • Opcode ID: 5e0a40dd8130dbce34c36c6f28a225539801c5a051d3227dad8c3572be688fc4
                • Instruction ID: 46eee92f569023076218461838bda6973846f6ae5e6b5f89ea1d1fa94a80e4fd
                • Opcode Fuzzy Hash: 5e0a40dd8130dbce34c36c6f28a225539801c5a051d3227dad8c3572be688fc4
                • Instruction Fuzzy Hash: ED2301B4D142698BDB65CF28C8847EDBBB5AF59304F1082D9E849B7281EB706F84CF51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0024E9E0 Relevance: 42.0, APIs: 2, Strings: 21, Instructions: 1700COMMON
                Download Yara Rule
                APIs
                • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?,?), ref: 0024EB4E
                  • Part of subcall function 002633B0: FindFirstFileA.KERNEL32(00000000,?,00000000), ref: 002634EF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: FileFindFirstFolderPath
                • String ID: R~u$cannot use operator[] with a string argument with $cannot use push_back() with $v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea
                • API String ID: 2195519125-4272359862
                • Opcode ID: e09c53ffc8f18ebca95ab999a4cc62e29f002833876b30f8b0309fe8e0e570c6
                • Instruction ID: 9f5604a63a9ba0489dc5b2aeb72dd1cc52dbdcc635cbf4b98cb850cbdee41d3d
                • Opcode Fuzzy Hash: e09c53ffc8f18ebca95ab999a4cc62e29f002833876b30f8b0309fe8e0e570c6
                • Instruction Fuzzy Hash: 721322B0D102698BDB25CF68C994BEDBBB5AF59304F1082D9D849B7282DB706F84CF51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00222100 Relevance: 41.7, APIs: 8, Strings: 15, Instructions: 1485COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: AttributesErrorFileLast
                • String ID: v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$h2
                • API String ID: 1799206407-2909964905
                • Opcode ID: d3454b7b7063239d5e425194c11d8a182cce5d2dd606a51f5ae28f0963c826b1
                • Instruction ID: fa031cf8dda0a35dea0afd15843b90f935cb79d80a376406f36b14bf237a7675
                • Opcode Fuzzy Hash: d3454b7b7063239d5e425194c11d8a182cce5d2dd606a51f5ae28f0963c826b1
                • Instruction Fuzzy Hash: 51E2BA70D10269DBCB25CF68C884BEDBBB4AF15300F1482D9D859AB282DB749F85CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00284B90 Relevance: 40.0, APIs: 5, Strings: 17, Instructions: 1467processCOMMON
                Download Yara Rule
                APIs
                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00284CF2
                • Process32First.KERNEL32(00000000,00000128), ref: 00284D02
                • Process32Next.KERNEL32(00000000,00000128), ref: 00284D1F
                • Process32Next.KERNEL32(00000000,00000128), ref: 00284FB6
                • CloseHandle.KERNEL32(00000000), ref: 00284FC2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                • String ID: exists$tF2$tF2$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea
                • API String ID: 2284531361-3839386153
                • Opcode ID: af9e598a829e3545b4220c00184ee4b0e2383f523260c613b0b89b5e77c0e913
                • Instruction ID: e6f90c157631ccf8ab076bd06e7419edffde599eeaa689a3fe6497768f1a84d5
                • Opcode Fuzzy Hash: af9e598a829e3545b4220c00184ee4b0e2383f523260c613b0b89b5e77c0e913
                • Instruction Fuzzy Hash: 62F244B4C112698BDB25CF68C898BEDBBB1BF49310F1482D9D859B7281DB706E85CF40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001AA2C0 Relevance: 28.7, Strings: 22, Instructions: 1233COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: AddressHandleModuleProc
                • String ID: cannot use operator[] with a string argument with $v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea
                • API String ID: 1646373207-2201726487
                • Opcode ID: a609125de0660467f4f8589c731ab96d658f69d991fe097aa7ee96a9df8669d2
                • Instruction ID: 8ebab11043f1d01960e2e830f2286dddbc5e5893de1af879ade71ef7dd746e7a
                • Opcode Fuzzy Hash: a609125de0660467f4f8589c731ab96d658f69d991fe097aa7ee96a9df8669d2
                • Instruction Fuzzy Hash: DDD201B4D052A99BDB25CF68C894BEDBBB4AF59300F1481D9D848B7342DB706B84CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0028A2D0 Relevance: 23.4, APIs: 11, Strings: 2, Instructions: 617libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleA.KERNEL32(00000000,Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36,0000006F,00000000,00000000), ref: 0028A42D
                • GetProcAddress.KERNEL32(00000000,?), ref: 0028A4C9
                • GetProcAddress.KERNEL32(00000000,?), ref: 0028A5DB
                • GetProcAddress.KERNEL32(00000000,?), ref: 0028A65B
                • GetProcAddress.KERNEL32(00000000,?), ref: 0028A74F
                • GetProcAddress.KERNEL32(00000000,?), ref: 0028A843
                • GetProcAddress.KERNEL32(00000000,?), ref: 0028A937
                • GetProcAddress.KERNEL32(00000000,?), ref: 0028AA2B
                • GetProcAddress.KERNEL32(00000000,?), ref: 0028AAAB
                • GetProcAddress.KERNEL32(00000000,?), ref: 0028AB9F
                • GetProcAddress.KERNEL32(00000000,?), ref: 0028AC93
                Strings
                • v<Ea, xrefs: 0028AC28
                • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36, xrefs: 0028A389
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: AddressProc$HandleModule
                • String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36$v<Ea
                • API String ID: 667068680-1999961152
                • Opcode ID: dcf5a09d12918828e946551c54e9a35bc43e54220515e8d2f874e1dfb0658c01
                • Instruction ID: 018dbcef54e562459a36e90e6bdeaf465071cc7288dc9512d70e30dd278a6f3a
                • Opcode Fuzzy Hash: dcf5a09d12918828e946551c54e9a35bc43e54220515e8d2f874e1dfb0658c01
                • Instruction Fuzzy Hash: 997279B8D1525ECBDB15CFA8D6826EEBBB1BF08310F20411AD955B7350D7702A81CFA6
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0026C630 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 240injectionmemorysynchronizationCOMMON
                Download Yara Rule
                APIs
                • VirtualAllocEx.KERNEL32(00000000,00000000,?,00003000,00000040,?,00000000), ref: 0026C6A1
                • WriteProcessMemory.KERNEL32(00000000,00000000,0026558D,?,00000000), ref: 0026C6BD
                • WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0026C6F2
                • VirtualAllocEx.KERNEL32(?,00000000,00001000,00003000,00000040), ref: 0026C71B
                • WriteProcessMemory.KERNEL32(?,00000000,?,00000218,00000000,?,?,?,00326328), ref: 0026C8BF
                • WriteProcessMemory.KERNEL32(?,00000218,0026C990,-00000010,00000000,?,?,?,00326328), ref: 0026C8E1
                • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000218,00000000,00000000,00000000), ref: 0026C8F4
                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,00326328), ref: 0026C8FD
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: MemoryProcessWrite$AllocVirtual$CreateObjectRemoteSingleThreadWait
                • String ID: %s|%s$(c2$2586$v<Ea
                • API String ID: 2137838514-1515221397
                • Opcode ID: 2aa5322da5e852077095fd516d5ca0db18d821da440dbbf2b862009b1464c70b
                • Instruction ID: 6c9745d57bf6b403b77157593623bb0a9e0a0df778a9d38ed10a45476111bcf3
                • Opcode Fuzzy Hash: 2aa5322da5e852077095fd516d5ca0db18d821da440dbbf2b862009b1464c70b
                • Instruction Fuzzy Hash: B2B16AB1D00208DFDB14CFA8DC89BAEBBB4FF48310F104269E959BB291D7746980CB95
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00230BA0 Relevance: 19.8, APIs: 5, Strings: 6, Instructions: 533fileCOMMON
                Download Yara Rule
                APIs
                • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000), ref: 00230BED
                • GetFileSize.KERNEL32(00000000,00000000,?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000), ref: 00230C01
                • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,?,00000000), ref: 00230C38
                • CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00230C43
                • CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00230C65
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: File$CloseHandle$CreateReadSize
                • String ID: v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea
                • API String ID: 3664964396-3480959595
                • Opcode ID: bb40e054403721a9154597fde6457ff7ff31c7ad956e3a936601d787d0549f5f
                • Instruction ID: 6bcada3a13629917b13f49273594a7423dff340efbb1c082c6d7219bfd28c26a
                • Opcode Fuzzy Hash: bb40e054403721a9154597fde6457ff7ff31c7ad956e3a936601d787d0549f5f
                • Instruction Fuzzy Hash: B1328AB1D142689FDB25CF64C890BEDBBB1BF59300F148299E859B7381DB702A95CF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0026CAA0 Relevance: 19.2, APIs: 8, Strings: 2, Instructions: 1695registryfileCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 001A8A00: GetModuleFileNameA.KERNEL32(00000000,?,00000200), ref: 001A8A4F
                • GetUserNameA.ADVAPI32(?,00000104), ref: 0026CD04
                • CopyFileA.KERNEL32(?,?,00000000), ref: 0026D10B
                • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020006,?), ref: 0026D2C5
                • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,?), ref: 0026D309
                • RegCloseKey.ADVAPI32(?), ref: 0026D315
                • CopyFileA.KERNEL32(?,?,00000000), ref: 0026D8AA
                • __Xtime_get_ticks.LIBCPMT ref: 0026E57D
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0026E58B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: File$CopyName$CloseModuleOpenUnothrow_t@std@@@UserValueXtime_get_ticks__ehfuncinfo$??2@
                • String ID: 2586$v<Ea
                • API String ID: 3408431245-2190683800
                • Opcode ID: 39fcba04ead3b859038e24e9bf203b46aa9cfcc561c74a10c2841abdbabf4010
                • Instruction ID: 91f307496c2b4d5cff319d43e78501d0f151ab08235953f0eb23918988a4e2e9
                • Opcode Fuzzy Hash: 39fcba04ead3b859038e24e9bf203b46aa9cfcc561c74a10c2841abdbabf4010
                • Instruction Fuzzy Hash: E013F2B4D1425E8BDB15CFA8C995AEEBBB0BF19300F204199D949B7341EB701B84CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0026E800 Relevance: 17.2, APIs: 7, Strings: 2, Instructions: 1469registryfileCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 001A8A00: GetModuleFileNameA.KERNEL32(00000000,?,00000200), ref: 001A8A4F
                • CopyFileA.KERNEL32(?,?,00000000), ref: 0026EE20
                • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020006,?), ref: 0026EFDA
                • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,?), ref: 0026F01E
                • RegCloseKey.ADVAPI32(?), ref: 0026F02A
                • CopyFileA.KERNEL32(?,?,00000000), ref: 0026F51C
                • GetUserNameA.ADVAPI32(?,00000104), ref: 0026F558
                • ShellExecuteA.SHELL32(00000000,?,?,00000000,00000000,00000001), ref: 0027003D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: File$CopyName$CloseExecuteModuleOpenShellUserValue
                • String ID: 2586$v<Ea
                • API String ID: 164619896-2190683800
                • Opcode ID: b7e6f781e42d93996a580e54b29bd098b72827f3a6bcf219c8def85fb799ec88
                • Instruction ID: b6da77b16acfd861e52a9a718cc454f5fccf9fbe6963a97cd9fb691b07c34c49
                • Opcode Fuzzy Hash: b7e6f781e42d93996a580e54b29bd098b72827f3a6bcf219c8def85fb799ec88
                • Instruction Fuzzy Hash: 2803F1B4D0425E8BDB15CFA8D995AEEBBB0BF19300F204199D949B7341DB701B84CFA6
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001D2012 Relevance: 15.2, APIs: 10, Instructions: 200fileCOMMON
                Download Yara Rule
                APIs
                • GetFileAttributesExW.KERNEL32(?,00000000,?,?,00000000,00000000), ref: 001D20AA
                • GetLastError.KERNEL32(?,00000000,00000000), ref: 001D20B4
                • FindFirstFileW.KERNEL32(?,?,?,00000000,00000000), ref: 001D20CB
                • GetLastError.KERNEL32(?,00000000,00000000), ref: 001D20D6
                • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 001D20E2
                • ___std_fs_open_handle@16.LIBCPMT ref: 001D219B
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: ErrorFileFindLast$AttributesCloseFirst___std_fs_open_handle@16
                • String ID:
                • API String ID: 2340820627-0
                • Opcode ID: 82156740e7bac5938465c7418982a6bd462a3c755cb20e1a90a60aed1ad525bb
                • Instruction ID: d4f032992879011b8bdd131759aafdac7b41cb88b87e63343d4da92c8bb1fd83
                • Opcode Fuzzy Hash: 82156740e7bac5938465c7418982a6bd462a3c755cb20e1a90a60aed1ad525bb
                • Instruction Fuzzy Hash: D471A575A006199FCB24CF68DC88BA9B7B8BF25360F144256FC69E3390DB31AD45CB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 002E2070 Relevance: 13.6, APIs: 9, Instructions: 88sleepfileCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 002E26B0: GetVersionExA.KERNEL32(?), ref: 002E26D6
                • GetVersionExA.KERNEL32(?), ref: 002E20B3
                • DeleteFileW.KERNEL32(00000000), ref: 002E20D2
                • GetFileAttributesW.KERNEL32(00000000), ref: 002E20D9
                • GetLastError.KERNEL32 ref: 002E20E6
                • Sleep.KERNEL32(00000064), ref: 002E20FC
                • DeleteFileA.KERNEL32(00000000), ref: 002E2105
                • GetFileAttributesA.KERNEL32(00000000), ref: 002E210C
                • GetLastError.KERNEL32 ref: 002E2119
                • Sleep.KERNEL32(00000064), ref: 002E212F
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: File$AttributesDeleteErrorLastSleepVersion
                • String ID:
                • API String ID: 1421123951-0
                • Opcode ID: 59730e4c4cb8db99ec4390dea240ee34c886e3029d5771491677cdcd60274722
                • Instruction ID: 2408a7be03dda8e94e2ed1953f489d507ef6073c99a4043b5a0a33a52f239bf0
                • Opcode Fuzzy Hash: 59730e4c4cb8db99ec4390dea240ee34c886e3029d5771491677cdcd60274722
                • Instruction Fuzzy Hash: 0B210571960214DFCB20AF75BC8C67E73BCEB2A370F600169E91FD6280DE30499AD642
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0027C3E0 Relevance: 13.1, APIs: 5, Strings: 2, Instructions: 876COMMON
                Download Yara Rule
                APIs
                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,00000003), ref: 0027C44A
                • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,00000003), ref: 0027C6D9
                  • Part of subcall function 00284050: GetFileAttributesA.KERNEL32(?,?,00000006,00000005,00000005,?), ref: 002840AC
                  • Part of subcall function 00284050: GetLastError.KERNEL32(?,?,00000006,00000005,00000005,?), ref: 002840B7
                • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,00000003), ref: 0027C8DA
                • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,00000003), ref: 0027CBFA
                  • Part of subcall function 00284050: std::_Throw_Cpp_error.LIBCPMT ref: 002840FF
                  • Part of subcall function 00284050: std::_Throw_Cpp_error.LIBCPMT ref: 00284110
                • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,00000003), ref: 0027D02D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: CreateDirectory$Cpp_errorThrow_std::_$AttributesErrorFileFolderLastPath
                • String ID: v<Ea$v<Ea
                • API String ID: 3108237365-2190929436
                • Opcode ID: 7ccc8ce48d588c0a475dad0e08fe22d986b276bf695d93c7ebb84762e787d6f1
                • Instruction ID: f918b5a42c042cb5e9d155ee0dfb77ff4b2bad6b3f91d1e0e4a9827c4d66e644
                • Opcode Fuzzy Hash: 7ccc8ce48d588c0a475dad0e08fe22d986b276bf695d93c7ebb84762e787d6f1
                • Instruction Fuzzy Hash: 10A2FFB4D0525D8BDB25CFA8C981BEEBBB0BF19310F204199D949B7351E7702A84CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00286E20 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 181memorylibraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleA.KERNEL32(?,7591E010,?), ref: 00286F9E
                • GetProcAddress.KERNEL32(00000000,?), ref: 00286FA9
                • GetProcessHeap.KERNEL32 ref: 00286FB4
                • HeapAlloc.KERNEL32(00000000,00000000,00010000), ref: 00286FCE
                • HeapAlloc.KERNEL32(?,00000000,00010000), ref: 00287007
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: Heap$Alloc$AddressHandleModuleProcProcess
                • String ID: v<Ea
                • API String ID: 349456774-4124759590
                • Opcode ID: 0335909070d4898df2547a5ce90e8cb1b39d6b8d099fe4a2cf5c3b998cf2a666
                • Instruction ID: 59206cf67862d3b3582565a865576753eca113ec44eb8d6e06f76d236b385514
                • Opcode Fuzzy Hash: 0335909070d4898df2547a5ce90e8cb1b39d6b8d099fe4a2cf5c3b998cf2a666
                • Instruction Fuzzy Hash: 3281F3B5D14229ABDB14CFA9E885AEEFBB5FF48310F10816AE924B7340D7706A01CF55
                Uniqueness

                Uniqueness Score: -1.00%

                Function 002E23D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86windowCOMMON
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32 ref: 002E23E1
                • GetVersionExA.KERNEL32(?), ref: 002E2405
                • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 002E2437
                • LocalFree.KERNEL32(?), ref: 002E244E
                • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 002E2486
                  • Part of subcall function 002E2ED0: AreFileApisANSI.KERNEL32(00000000,00000000,?,?,?,002E1C25), ref: 002E2EDC
                  • Part of subcall function 002E2ED0: MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,?,?,?,002E1C25), ref: 002E2EF1
                  • Part of subcall function 002E2ED0: MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 002E2F17
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: ByteCharFormatMessageMultiWide$ApisErrorFileFreeLastLocalVersion
                • String ID: OsError 0x%x (%u)
                • API String ID: 807219750-2664311388
                • Opcode ID: a9ce656bc7e182ebb394d0f862ecba2d4051b7d0e881174d8935bec3574908c7
                • Instruction ID: d0add9267f10fe46a280ad3721baa71b1621849c88091aaaf99a7d841d21ad6a
                • Opcode Fuzzy Hash: a9ce656bc7e182ebb394d0f862ecba2d4051b7d0e881174d8935bec3574908c7
                • Instruction Fuzzy Hash: 48219571A50218BBDB20AB62AC4AFAE7BBCEB45791F5000A5F909E2290D6745E14CA51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001F47AD Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: __floor_pentium4
                • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                • API String ID: 4168288129-2761157908
                • Opcode ID: 68e435f5ad75e06654ec72d2aea965cc8e1c42b617a0629961114d42e04023c4
                • Instruction ID: 6edd0170e658f712527b2e1b0ec1ec80845ebc1cece05226e0a0c72ed321dbd8
                • Opcode Fuzzy Hash: 68e435f5ad75e06654ec72d2aea965cc8e1c42b617a0629961114d42e04023c4
                • Instruction Fuzzy Hash: E6D22771E0862D8FDB64CE28CD447EAB7B6EB44315F1441EAD60DE7240EB78AE818F41
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00298080 Relevance: 9.2, Strings: 7, Instructions: 484COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID:
                • String ID: BINARY$MATCH$NOCASE$RTRIM$automatic extension loading failed: %s$no such vfs: %s$sqlite_rename_table
                • API String ID: 0-1885142750
                • Opcode ID: 7503370419f3bd7a146366d3d7c0dfc0f4ca65fa81fa84304ae5858df7ab13e4
                • Instruction ID: c319c7e26333e6fcb5ce5f441b56911236be6bf18a77ba5e96e536eb98564c09
                • Opcode Fuzzy Hash: 7503370419f3bd7a146366d3d7c0dfc0f4ca65fa81fa84304ae5858df7ab13e4
                • Instruction Fuzzy Hash: 9B025970A207019FEF319F25DC45B6B77E8AF41300F18442DE84A9B292DFB5E965CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0022CB90 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 334processCOMMON
                Download Yara Rule
                APIs
                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0022CCBC
                • Process32First.KERNEL32(00000000,?), ref: 0022CCE2
                • Process32Next.KERNEL32(00000000,00000128), ref: 0022CD31
                • CloseHandle.KERNEL32(00000000), ref: 0022CD47
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                • String ID: v<Ea
                • API String ID: 420147892-4124759590
                • Opcode ID: ce317182a4b824e4291cdf6af0bb5db826b4bbbd59ac488c5248d17527daf30f
                • Instruction ID: 9db71753f43562ac0f1b49f90a24e926f1c05fd4150c647bfafa22a4151346ef
                • Opcode Fuzzy Hash: ce317182a4b824e4291cdf6af0bb5db826b4bbbd59ac488c5248d17527daf30f
                • Instruction Fuzzy Hash: DCD1BCB1D102199BDB14CFA8D9847EEBBF5EF45310F244269E804AB381DB75AE44CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 002B4220 Relevance: 8.9, Strings: 6, Instructions: 1371COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID:
                • String ID: %d values for %d columns$OID$ROWID$_ROWID_$table %S has %d columns but %d values were supplied$table %S has no column named %s
                • API String ID: 0-3534356592
                • Opcode ID: 79a1afd6d1c74c2451135d6092d89028ef62a6d056b380aacdb6f36b46d48edc
                • Instruction ID: 21968ff0feb6f9ca1b23b11743b49a08b18571233e843930dbec135e7cbb2d30
                • Opcode Fuzzy Hash: 79a1afd6d1c74c2451135d6092d89028ef62a6d056b380aacdb6f36b46d48edc
                • Instruction Fuzzy Hash: C3D27A706147428FD724EF18C480B6ABBE1FF84384F15895DE8868B352EB75E965CF82
                Uniqueness

                Uniqueness Score: -1.00%

                Function 002E2160 Relevance: 7.7, APIs: 5, Instructions: 208fileCOMMON
                Download Yara Rule
                APIs
                • GetVersionExA.KERNEL32(?), ref: 002E2223
                • CreateFileW.KERNEL32(00000000,C0000000,00000003,00000000,7FFFFFFD,00000000,00000000), ref: 002E2253
                • CreateFileA.KERNEL32(00000000,C0000000,00000003,00000000,7FFFFFFD,00000000,00000000), ref: 002E225B
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: CreateFile$Version
                • String ID:
                • API String ID: 1715692615-0
                • Opcode ID: c51528d543c0241d95443ac723cf264627927bd2cd50a3b55589b68156f2c578
                • Instruction ID: 8af137aaa9863ef602a1a490e5e7d29da06c8fd76c00dd139a4844824cd7b0dc
                • Opcode Fuzzy Hash: c51528d543c0241d95443ac723cf264627927bd2cd50a3b55589b68156f2c578
                • Instruction Fuzzy Hash: 8861FEB1654342DFDB10CF26D845BABB7E8FF84310F44456DF99AD6280E738C9288B92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001F2B48 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 254COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 001E9E32: GetLastError.KERNEL32(00000000,?,001EF819), ref: 001E9E36
                  • Part of subcall function 001E9E32: SetLastError.KERNEL32(00000000,00000000,00000001,00000006,000000FF), ref: 001E9ED8
                • GetACP.KERNEL32(?,?,?,?,?,?,001E72F0,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 001F2C07
                • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,001E72F0,?,?,?,00000055,?,-00000050,?,?), ref: 001F2C3E
                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 001F2DA1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: ErrorLast$CodeInfoLocalePageValid
                • String ID: utf8
                • API String ID: 607553120-905460609
                • Opcode ID: 6406bf60cf1b0540b7df6d782c64dc5befc3c9aca48598ceec1519560c480ee0
                • Instruction ID: cd361eeb9abd5752d4f46a6a56979298c6820b7070a0b1d0d7e667c08d9db41f
                • Opcode Fuzzy Hash: 6406bf60cf1b0540b7df6d782c64dc5befc3c9aca48598ceec1519560c480ee0
                • Instruction Fuzzy Hash: 3A71037560060EAADB29AFB5CC82BBB73A8EF55710F14442AFB05DB181EB70ED408761
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001DC950 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d832fe2a0f42001a57c9b2c34ab75cd1b9a187cae735d2738bff895b2773b599
                • Instruction ID: c5ff71ea9a7847cb53ea3a5e0bcd92db28a369b3eb307875ced371b441229c43
                • Opcode Fuzzy Hash: d832fe2a0f42001a57c9b2c34ab75cd1b9a187cae735d2738bff895b2773b599
                • Instruction Fuzzy Hash: 38023D71E0161A9BDF14CFA8D9806AEFBF1FF48314F24866AE519E7380D731A941CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 002A4220 Relevance: 6.2, Strings: 4, Instructions: 1164COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID:
                • String ID: OID$ROWID$_ROWID_$no such column: %s
                • API String ID: 0-2593059340
                • Opcode ID: f091b497ba8e0552f7c2943dcb8d0833efdb14adbc2d633fb52ad8c7c122bc6e
                • Instruction ID: 9d97a3a61a9f6915b9ed3273c422431350f9692297a5f7d604c6063ed1934e5e
                • Opcode Fuzzy Hash: f091b497ba8e0552f7c2943dcb8d0833efdb14adbc2d633fb52ad8c7c122bc6e
                • Instruction Fuzzy Hash: 63C259706147428FD724EF18C090B2BBBE1FF86344F15895DE98A4B352DBB5E825CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001D4174 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                Download Yara Rule
                APIs
                • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 001D4180
                • IsDebuggerPresent.KERNEL32 ref: 001D424C
                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 001D4265
                • UnhandledExceptionFilter.KERNEL32(?), ref: 001D426F
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                • String ID:
                • API String ID: 254469556-0
                • Opcode ID: c9181f84dc1bee15c672c0ef03a9cb2e0a93991c5a0bf194b8fe8056edf158f3
                • Instruction ID: ea7162dc24dd5566cf965990968b28dcb60c751ab977e2c1b29aa189bc843ce7
                • Opcode Fuzzy Hash: c9181f84dc1bee15c672c0ef03a9cb2e0a93991c5a0bf194b8fe8056edf158f3
                • Instruction Fuzzy Hash: E631F7B5D05229DBDF20DFA4D9897CDBBB8BF08300F1041AAE40DAB250EB759A84CF45
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00264130 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 210COMMON
                Download Yara Rule
                APIs
                • std::_Throw_Cpp_error.LIBCPMT ref: 00264401
                • std::_Throw_Cpp_error.LIBCPMT ref: 00264412
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: Cpp_errorThrow_std::_
                • String ID: v<Ea
                • API String ID: 2134207285-4124759590
                • Opcode ID: 6022e7e7770ac2d32fd78c488f1fcd89db1f6ddcbcd0127bdccbcfbbbf5b5c9f
                • Instruction ID: 9d8b893aeb4d757f8f59ccddde248f703e4e511062f06eb5c8610e9c4b19f2eb
                • Opcode Fuzzy Hash: 6022e7e7770ac2d32fd78c488f1fcd89db1f6ddcbcd0127bdccbcfbbbf5b5c9f
                • Instruction Fuzzy Hash: C591F1B0D04288CFCB05DF98C882BEDBBB1BF59304F14819DE8516B392D775A956CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00270420 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 202libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleA.KERNEL32(?), ref: 00270591
                • GetProcAddress.KERNEL32(00000000,?), ref: 0027059C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: AddressHandleModuleProc
                • String ID: v<Ea
                • API String ID: 1646373207-4124759590
                • Opcode ID: 1e9a0b60fe9d98bc71d3577db2d9dfad1ab14869a8dfc9202d69ce0636d51275
                • Instruction ID: 6b8badf7f8fd3f90703412946d4791a60b6d48acd3271f88d389a1c14ea046d3
                • Opcode Fuzzy Hash: 1e9a0b60fe9d98bc71d3577db2d9dfad1ab14869a8dfc9202d69ce0636d51275
                • Instruction Fuzzy Hash: 7B9178B4D10209DFDB14CF98C881BAEBBB5FF48310F248159E908BB381D770AA55CBA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001F80C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • VirtualQuery.KERNEL32(?,?,0000001C), ref: 001F80D9
                • GetSystemInfo.KERNEL32(?), ref: 001F80F4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: InfoQuerySystemVirtual
                • String ID: D
                • API String ID: 401686933-2746444292
                • Opcode ID: 7cda7d3295a98511aaf4ca2f25b03d4727f723bfce446e8157e0b2e6fe98f143
                • Instruction ID: df3fc8b7c03182972eff9fc81e1688205fca048807893325d8a381d6babe2947
                • Opcode Fuzzy Hash: 7cda7d3295a98511aaf4ca2f25b03d4727f723bfce446e8157e0b2e6fe98f143
                • Instruction Fuzzy Hash: 2201F7726001096BDB14DE29DC09BEE7BB9EFC4364F0CC224AE19D7240DB38D906C680
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001D8A54 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000001), ref: 001D8B4C
                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000001), ref: 001D8B56
                • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000001), ref: 001D8B63
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                • String ID:
                • API String ID: 3906539128-0
                • Opcode ID: d5925e01876cbededa0d8f33f46cdd38ba6953fff0d0bd0cd6e43fd569c7d330
                • Instruction ID: f51ccce54dcc4c410f52144acf7238204f3c9169341ad306b0cc747048a0b788
                • Opcode Fuzzy Hash: d5925e01876cbededa0d8f33f46cdd38ba6953fff0d0bd0cd6e43fd569c7d330
                • Instruction Fuzzy Hash: 7B31C4B4901229ABCB21DF68DC8979DBBB8BF18350F5041EAE41CA7250EB749F85CF45
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00218200 Relevance: 3.6, Strings: 2, Instructions: 1092COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID:
                • String ID: v<Ea$v<Ea
                • API String ID: 0-2190929436
                • Opcode ID: 3889a5ec22b8ac0efada64f6759a8bd969c18949708ea5cb9a7cfe098b3a30bc
                • Instruction ID: 2d76bee54bb22aec3f0b5477061153e5790fd10d89a04c0046747818f9af47ac
                • Opcode Fuzzy Hash: 3889a5ec22b8ac0efada64f6759a8bd969c18949708ea5cb9a7cfe098b3a30bc
                • Instruction Fuzzy Hash: 17D2DFB4D1425A8BDB19CFA8D9816EEFBB0BF49300F204289D959B7341D7706B85CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 002DC8D0 Relevance: 3.5, APIs: 2, Instructions: 484COMMON
                Download Yara Rule
                APIs
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002DCA85
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002DCD87
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                • String ID:
                • API String ID: 885266447-0
                • Opcode ID: ae44195e0f25fbc77191ba1112dd43f9a2389636270ae980bd49fd0423b58a15
                • Instruction ID: 11de1dcb4d34ebaf2f018faad72aabc377956e79f300da5a001bcb8774723dfb
                • Opcode Fuzzy Hash: ae44195e0f25fbc77191ba1112dd43f9a2389636270ae980bd49fd0423b58a15
                • Instruction Fuzzy Hash: CC028C70624603AFDB18CF68C850B6AB7E5BF88314F24866EE859CB750D774ED64CB81
                Uniqueness

                Uniqueness Score: -1.00%

                Function 002E40A0 Relevance: 3.5, APIs: 2, Instructions: 465COMMON
                Download Yara Rule
                APIs
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002E4443
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002E44A1
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                • String ID:
                • API String ID: 885266447-0
                • Opcode ID: bbc183165b8456e0db17e3a48dc9edb3ddbf89557cfc3b4e3e51ce4df5dfcc96
                • Instruction ID: b598b213b4158df10c93d2180ef936babe0961912877dfa6bdade3efa44de89b
                • Opcode Fuzzy Hash: bbc183165b8456e0db17e3a48dc9edb3ddbf89557cfc3b4e3e51ce4df5dfcc96
                • Instruction Fuzzy Hash: 08021771E1065A8BCF19DF6EC8A03BDFBB1BF99310F5542AAE958AB381D7344941CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 002463D0 Relevance: 3.2, Strings: 2, Instructions: 701COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3Setgloballocalestd::locale::_
                • String ID: v<Ea$v<Ea
                • API String ID: 3356752076-2190929436
                • Opcode ID: 4337ead98339d53d29cd59ce7883a483e21d845fed54fdef8b994f94705a7c10
                • Instruction ID: f223f37fd769ed2706014a10ff27bb2c8bf4dd7e09124aa67118166ab8279844
                • Opcode Fuzzy Hash: 4337ead98339d53d29cd59ce7883a483e21d845fed54fdef8b994f94705a7c10
                • Instruction Fuzzy Hash: CE727BB0D10259CFDB24CFA8C9457EEBBB0AF55304F148299D459BB382DB746A84CF92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001F8E20 Relevance: 3.0, Strings: 2, Instructions: 463COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID:
                • String ID: +$/
                • API String ID: 0-2439032044
                • Opcode ID: ccf1d9c94f6e27482a23339851742c0793b344f1c46cc76423ff3eb2b31d284b
                • Instruction ID: 8a1a937c5edfcf6dbc808a1b4a36fbc5c9ecb45d85dd1b712f8b18046bdcd85e
                • Opcode Fuzzy Hash: ccf1d9c94f6e27482a23339851742c0793b344f1c46cc76423ff3eb2b31d284b
                • Instruction Fuzzy Hash: 8202D170A042499FCB15DF68C8947FEBBF5FF5A310F14426AE965A7382D7309A44CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 002D81A0 Relevance: 2.8, Strings: 2, Instructions: 284COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID:
                • String ID: Wa-$d
                • API String ID: 0-1143596532
                • Opcode ID: 4d2e40d0ee049fcd3d8f72c1fa515a9766287207d900e49fb11eb8d4540daae0
                • Instruction ID: 31aed791e76e41176271b06dbfcc15182facc2788d3969fff37fbfadad4459d0
                • Opcode Fuzzy Hash: 4d2e40d0ee049fcd3d8f72c1fa515a9766287207d900e49fb11eb8d4540daae0
                • Instruction Fuzzy Hash: 20B1A5306187428FC314CF19C49056ABBE1BF99304F1885AEE8958F743DB75ED26CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 002A0520 Relevance: 2.1, Strings: 1, Instructions: 858COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID:
                • String ID: match
                • API String ID: 0-2052834565
                • Opcode ID: 18768b04a36f9535187d02fe2935fd47c00cc8f9749387199019b8791e1ca7bc
                • Instruction ID: b4371444ee5d795f773bcaef7062829675130569a690d8c980b0c681bb641abc
                • Opcode Fuzzy Hash: 18768b04a36f9535187d02fe2935fd47c00cc8f9749387199019b8791e1ca7bc
                • Instruction Fuzzy Hash: 49729170A147428FD724CF24C4C1B2BB7E1BF89314F148A6DE98A8B392DB75E855CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 002D20C0 Relevance: 2.0, Strings: 1, Instructions: 710COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID:
                • String ID: %s-mj%08X
                • API String ID: 0-77246884
                • Opcode ID: 0c44feec2166013ab208c532e7b8fbbaa4e3a1a9e0cfaba2592b9009f814717c
                • Instruction ID: e794fdfd68ffc5ac7888b0edbeb09ce7745752f3667d26fd0afb1d588ab9d463
                • Opcode Fuzzy Hash: 0c44feec2166013ab208c532e7b8fbbaa4e3a1a9e0cfaba2592b9009f814717c
                • Instruction Fuzzy Hash: 3B428A70A10206DFDB25CFA8D880BAAB7F5BF68304F14806EE819A7351D775ED69CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 002E4AE0 Relevance: 1.7, Strings: 1, Instructions: 429COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID:
                • String ID: GD-
                • API String ID: 0-1532924963
                • Opcode ID: 1682868157a21c58a8761361d3859ab34db4e993beeed00948841fca83b97ad1
                • Instruction ID: 66af197e3409a60d11d8993f547d71812edd4be88069a5511b6254c25e62be45
                • Opcode Fuzzy Hash: 1682868157a21c58a8761361d3859ab34db4e993beeed00948841fca83b97ad1
                • Instruction Fuzzy Hash: 40F1B032D692D38FCB159F39C4813EDBFA2AF65300F5C46A6C4958B782D278D925C790
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001E001D Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID:
                • String ID: 0
                • API String ID: 0-4108050209
                • Opcode ID: aaffbfff9d26851b7f1c3a2caa2f508db3fbdf819399eb39b202afd88fb5a0af
                • Instruction ID: 037c8920575cea964df182ed3effd6a5625c4c2375e7e303a08ce6c03ef143f3
                • Opcode Fuzzy Hash: aaffbfff9d26851b7f1c3a2caa2f508db3fbdf819399eb39b202afd88fb5a0af
                • Instruction Fuzzy Hash: 0AB1D734900E8B8BCB2ACF6AC9556BEB7F1AF1C300F14061EE592AB651C7B1D9C1CB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001F2E3F Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 001E9E32: GetLastError.KERNEL32(00000000,?,001EF819), ref: 001E9E36
                  • Part of subcall function 001E9E32: SetLastError.KERNEL32(00000000,00000000,00000001,00000006,000000FF), ref: 001E9ED8
                • EnumSystemLocalesW.KERNEL32(001F2F65,00000001,00000000,?,-00000050,?,001F3599,00000000,?,?,?,00000055,?), ref: 001F2EB1
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: ErrorLast$EnumLocalesSystem
                • String ID:
                • API String ID: 2417226690-0
                • Opcode ID: 49c092c90ca1393f82040c7018be4924a8bf198c70947c3aeb4eff4f70aa9d93
                • Instruction ID: 24e3ebd1a988020d312028ae2d30b0560ff6be90849bc99f2409a9ee5a274213
                • Opcode Fuzzy Hash: 49c092c90ca1393f82040c7018be4924a8bf198c70947c3aeb4eff4f70aa9d93
                • Instruction Fuzzy Hash: 66110C372107055FDB18DF39D8915BABB91FF84768B14442DEA8687741D771B943CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001F2D4D Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 001E9E32: GetLastError.KERNEL32(00000000,?,001EF819), ref: 001E9E36
                  • Part of subcall function 001E9E32: SetLastError.KERNEL32(00000000,00000000,00000001,00000006,000000FF), ref: 001E9ED8
                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 001F2DA1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: ErrorLast$InfoLocale
                • String ID: utf8
                • API String ID: 3736152602-905460609
                • Opcode ID: fa6bd643d52df3e703348dbdd89a3d290ea3dd2a7585b3f01223859d8d358bc1
                • Instruction ID: f54afd62e812fd3c44a44577606d900ca4824f6c7e33dfb6a8a0c592e63164b0
                • Opcode Fuzzy Hash: fa6bd643d52df3e703348dbdd89a3d290ea3dd2a7585b3f01223859d8d358bc1
                • Instruction Fuzzy Hash: 6EF0A432640209ABC714EB64DC45EBA33A8DB55311F15017AF612D7241DB74AD059750
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001F2DF4 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 001E9E32: GetLastError.KERNEL32(00000000,?,001EF819), ref: 001E9E36
                  • Part of subcall function 001E9E32: SetLastError.KERNEL32(00000000,00000000,00000001,00000006,000000FF), ref: 001E9ED8
                • EnumSystemLocalesW.KERNEL32(001F2D4D,00000001,?,?,?,001F35BB,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 001F2E2B
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: ErrorLast$EnumLocalesSystem
                • String ID:
                • API String ID: 2417226690-0
                • Opcode ID: f197541029864c9e87345b9945f84c0c85ac3cba3593e479e97105bb24aba7e0
                • Instruction ID: 2f0c37bf0cf9b6040f277854af504a87a605550e4522cc67d41339bf13460b24
                • Opcode Fuzzy Hash: f197541029864c9e87345b9945f84c0c85ac3cba3593e479e97105bb24aba7e0
                • Instruction Fuzzy Hash: C4F0E53630020957CB14DF79D85567ABF94EFC1760B564059EF0A8B251C7759C43CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001D4301 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                Download Yara Rule
                APIs
                • SetUnhandledExceptionFilter.KERNEL32(Function_0003430D,001D3BD4), ref: 001D4306
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: ExceptionFilterUnhandled
                • String ID:
                • API String ID: 3192549508-0
                • Opcode ID: dd260f6496e4f3ecd66cc3b0b16b857eb85cb0dbb67c81b88dedb4c4d7e13055
                • Instruction ID: dcb1c6d20f33f3831ee3ba0699697022468e73e02715592531d7a92c67d8678d
                • Opcode Fuzzy Hash: dd260f6496e4f3ecd66cc3b0b16b857eb85cb0dbb67c81b88dedb4c4d7e13055
                • Instruction Fuzzy Hash:
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00294CD0 Relevance: 1.5, Strings: 1, Instructions: 219COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID:
                • String ID: -
                • API String ID: 0-2547889144
                • Opcode ID: ffad52e287b60b8b48c8f6c01dcfbe838c716be90c45fb450b26370899277487
                • Instruction ID: 183672f225d26a2ab72ab4c82c3675642d674ededa7743230d931f3502037c63
                • Opcode Fuzzy Hash: ffad52e287b60b8b48c8f6c01dcfbe838c716be90c45fb450b26370899277487
                • Instruction Fuzzy Hash: A0817F70951648AEEF219AB8C840BEDFFE0EF05201F1489E9E8D5E3B41D678D64AC761
                Uniqueness

                Uniqueness Score: -1.00%

                Function 002D6B30 Relevance: 1.0, Instructions: 974COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 22c47df35aef9db653dc125f4598d364437ee5da13477d936da99cbe0161b9c3
                • Instruction ID: 50b44d8f379dc8753c3fef33dab66cf5d2120f4c09ec38f7c5e3da35f01f7152
                • Opcode Fuzzy Hash: 22c47df35aef9db653dc125f4598d364437ee5da13477d936da99cbe0161b9c3
                • Instruction Fuzzy Hash: 78927B70A183528FC715CF29D480A2ABBF5BF88304F15896EE885C7352E735ED56CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00290350 Relevance: .7, Instructions: 735COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6ee7431c590f010c8dd971055f722d67c0935e3dd62132d84c9318ee0f96c0be
                • Instruction ID: 29829d1fd5735a26e1c786ef65f3414916bb37e2344ba1a6d051ab7c570ff597
                • Opcode Fuzzy Hash: 6ee7431c590f010c8dd971055f722d67c0935e3dd62132d84c9318ee0f96c0be
                • Instruction Fuzzy Hash: A3626CB1E1121A9FEF14CF5AC5846ADBBB1BF48308F2481ADD814AB342C775D966CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001E035F Relevance: .3, Instructions: 333COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f6dee24335f5b140262ea974cbff652d8b99dc6530915220cfe40c5ba507cb02
                • Instruction ID: cb23644039719f9c9e767f06fc8fcd96df1eb23ecf6be8e13a96571028a33a10
                • Opcode Fuzzy Hash: f6dee24335f5b140262ea974cbff652d8b99dc6530915220cfe40c5ba507cb02
                • Instruction Fuzzy Hash: A6C1DD70500E8A8FCB2ACF6AC68467EBBB1BF5D300F144619D59697691C3B1ADC5CF11
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001F8BA0 Relevance: .2, Instructions: 221COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 88f1546abe87f51e538dcdc7aea23690bb5e6e8375a2d449dcae47cb17df824a
                • Instruction ID: 4a45562db5ebffc2b94125b706e95fe46fb955bb5bd2fd8741e5cb07347cccd5
                • Opcode Fuzzy Hash: 88f1546abe87f51e538dcdc7aea23690bb5e6e8375a2d449dcae47cb17df824a
                • Instruction Fuzzy Hash: 6781F5B5E002898FDB118F98D8917FEFBB5EF2A304F440569DA5997383CB359906C7A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00294AA0 Relevance: .2, Instructions: 199COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 21a67febc048bd5e7bed61c903892d463eae84642cc4542d2051080d3f21be36
                • Instruction ID: 060fdef2ef2988a0cc373ae7140da81ad21f7d7912cd78565fb5597dc9a0b7cc
                • Opcode Fuzzy Hash: 21a67febc048bd5e7bed61c903892d463eae84642cc4542d2051080d3f21be36
                • Instruction Fuzzy Hash: 2C61F630A10605AFDF34DEA8C881FEEBBE5EF44310F208AADE596D3690D271E656C751
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0028CD20 Relevance: .2, Instructions: 194COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 02335e4d2a8d4efa55073937c7e09a6d3f4857895d4b3488d8d290f7f81c13b0
                • Instruction ID: 3455b12409594713099682c44e1550328e2e1b505b790e5f24f4086796cfcb58
                • Opcode Fuzzy Hash: 02335e4d2a8d4efa55073937c7e09a6d3f4857895d4b3488d8d290f7f81c13b0
                • Instruction Fuzzy Hash: 9A7190316225654FD70DCF1EECE44363356A38A341BC5862BEA81C7295C635EA3ACBE0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001DA918 Relevance: .2, Instructions: 156COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 46680d0314554fd398ed7fd020ff60bee8df1d437ae882661bd78aeb1168d151
                • Instruction ID: d7841290abce7f67de5ce50d1c45d9ee4c9b6bb6437f43894e16e5218921d6f2
                • Opcode Fuzzy Hash: 46680d0314554fd398ed7fd020ff60bee8df1d437ae882661bd78aeb1168d151
                • Instruction Fuzzy Hash: A6518F72D0011AAFDF04CF98C951AEEBBB2FF88304F5A8559E555AB301D734AA40CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00286470 Relevance: 37.2, APIs: 18, Strings: 3, Instructions: 423libraryloaderthreadCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleA.KERNEL32(?,7591E010,?), ref: 00286650
                • GetProcAddress.KERNEL32(00000000,?), ref: 00286660
                • GetModuleHandleA.KERNEL32(?), ref: 00286778
                • GetProcAddress.KERNEL32(00000000,?), ref: 00286782
                • OpenProcess.KERNEL32(00000040,00000000,?), ref: 0028678E
                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000), ref: 002867FD
                • CloseHandle.KERNEL32(00000000), ref: 00286830
                • CloseHandle.KERNEL32(00000000), ref: 00286856
                • CloseHandle.KERNEL32(00000000), ref: 00286876
                • CreateEventA.KERNEL32(00000000,00000001,00000000,?), ref: 00286A18
                • ResetEvent.KERNEL32(00000000), ref: 00286A21
                • CreateThread.KERNEL32(00000000,00000000,00286B50,?,00000000,00000000), ref: 00286A45
                • WaitForSingleObject.KERNEL32(00000000,00000064), ref: 00286A51
                • RtlUnicodeStringToAnsiString.NTDLL(?,?,00000001), ref: 00286A97
                • CloseHandle.KERNEL32(00000000), ref: 00286AD8
                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000001), ref: 00286AE4
                • CloseHandle.KERNEL32(00000000), ref: 00286B03
                • TerminateThread.KERNEL32(A0DF89F8,00000000), ref: 00286B31
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: Handle$Close$Process$AddressCreateCurrentEventModuleProcStringThread$AnsiObjectOpenResetSingleTerminateUnicodeWait
                • String ID: File$v<Ea$v<Ea
                • API String ID: 3681783469-3478411229
                • Opcode ID: 4579bfd54a212144c831a09efa6fb8a94aa533f751a5088f20ebab4a5bc2cb30
                • Instruction ID: 2a4a5b64c36e454b574fccc0216e6060037a8c6519c58ecd2c183a206e8e5c59
                • Opcode Fuzzy Hash: 4579bfd54a212144c831a09efa6fb8a94aa533f751a5088f20ebab4a5bc2cb30
                • Instruction Fuzzy Hash: 8222F1B4D002199BDB24CF98D985BEEBBB5FF08310F2041A9E919B7350D7706A84CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00272D20 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 372registryCOMMON
                Download Yara Rule
                APIs
                • IsDebuggerPresent.KERNEL32 ref: 00272D56
                • IsProcessorFeaturePresent.KERNEL32(00000015), ref: 00272D62
                • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?), ref: 00272F19
                • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?), ref: 002730D0
                • RegCloseKey.ADVAPI32(?), ref: 002730E1
                • GetComputerNameA.KERNEL32(?,?), ref: 002730FF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: OpenPresent$CloseComputerDebuggerFeatureNameProcessor
                • String ID: v<Ea
                • API String ID: 2393775839-4124759590
                • Opcode ID: 218d464bd61b0b01c47dac480536c27292075ed189767191a4fc7a41c6e2e782
                • Instruction ID: 27237ee0d108c1f67d7a23c5c07482066888a7b006b6cdda8f198159c72c1d38
                • Opcode Fuzzy Hash: 218d464bd61b0b01c47dac480536c27292075ed189767191a4fc7a41c6e2e782
                • Instruction Fuzzy Hash: 7B12CDB4D0425E8BDB24CF98D985BEEBBB1BF08310F204199D949B7341D7701A85CFA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001F8013 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,001F808E,001F8237), ref: 001F802A
                • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 001F8040
                • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 001F8055
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: AddressProc$HandleModule
                • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive$``2
                • API String ID: 667068680-307715719
                • Opcode ID: 4f1dcb743b1d9df7109285b39ca1b652a942b10d7f4ea6aaa371ce314e6cad72
                • Instruction ID: 70e6dd9f6953454cac87c460d4da61bcb7b2caa8774b040f5303ac61eb914029
                • Opcode Fuzzy Hash: 4f1dcb743b1d9df7109285b39ca1b652a942b10d7f4ea6aaa371ce314e6cad72
                • Instruction Fuzzy Hash: F3F0C27175662A5B5B728F646D9A67722DC5E017E4359803DF702E3180EF30CC8AE790
                Uniqueness

                Uniqueness Score: -1.00%

                Function 002E28E0 Relevance: 12.1, APIs: 8, Instructions: 141filesleepCOMMON
                Download Yara Rule
                APIs
                • LockFile.KERNEL32(00000000,40000000,00000000,00000001,00000000), ref: 002E2943
                • Sleep.KERNEL32(00000001), ref: 002E2951
                • GetLastError.KERNEL32 ref: 002E2968
                • UnlockFile.KERNEL32(00000000,40000000,00000000,?,00000000), ref: 002E29B3
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: File$ErrorLastLockSleepUnlock
                • String ID:
                • API String ID: 3015003838-0
                • Opcode ID: a941f84c546ab6e2b143b8a190bfde10b085f60f86e57b2fdbd330db90f560f0
                • Instruction ID: c3d6ff6c78fb6ac771f9dcd1438ce1d7ee08087c4ca9240a36224c801991d407
                • Opcode Fuzzy Hash: a941f84c546ab6e2b143b8a190bfde10b085f60f86e57b2fdbd330db90f560f0
                • Instruction Fuzzy Hash: D441E631B91255EBEB308F16ED8576EB769EB44720F709125ED0EAB342C7719C6887C0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001BA060 Relevance: 9.1, APIs: 6, Instructions: 136COMMON
                Download Yara Rule
                APIs
                • std::_Lockit::_Lockit.LIBCPMT ref: 001BA09D
                • std::_Lockit::_Lockit.LIBCPMT ref: 001BA0BF
                • std::_Lockit::~_Lockit.LIBCPMT ref: 001BA0E7
                • __Getctype.LIBCPMT ref: 001BA1C5
                • std::_Facet_Register.LIBCPMT ref: 001BA1F9
                • std::_Lockit::~_Lockit.LIBCPMT ref: 001BA223
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                • String ID:
                • API String ID: 1102183713-0
                • Opcode ID: f710a074823c1e0d6d783a78095c3c19685b0ef28aa99c8f3f02df500bf5cf08
                • Instruction ID: 69e054f9f5ecc7daed03811a26a286f5e58dbbc2bf170d4a7d48270b7ff02b14
                • Opcode Fuzzy Hash: f710a074823c1e0d6d783a78095c3c19685b0ef28aa99c8f3f02df500bf5cf08
                • Instruction Fuzzy Hash: 225198B0D01249DBDB21CF58C9417AEBBF4BF21324F24829DE855AB381D774AA45CBD2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00274140 Relevance: 9.1, APIs: 6, Instructions: 101COMMON
                Download Yara Rule
                APIs
                • RmStartSession.RSTRTMGR(?,00000000,?), ref: 0027418E
                • RmRegisterResources.RSTRTMGR(?,00000001,?,00000000,00000000,00000000,00000000,?), ref: 002741D0
                • RmGetList.RSTRTMGR(?,?,?,?,?), ref: 002741F8
                • RmShutdown.RSTRTMGR(?,00000001,00000000), ref: 00274219
                • RmEndSession.RSTRTMGR(?), ref: 0027424C
                • SetLastError.KERNEL32(00000000), ref: 00274253
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: Session$ErrorLastListRegisterResourcesShutdownStart
                • String ID:
                • API String ID: 3915309458-0
                • Opcode ID: 6c90e74db903de3ef02c37fe976d7dead5593df9659bc869962bc2bbc18686d7
                • Instruction ID: fa0bc2abf8da06447740596700f1576386bcff41bc37127453252db11aaef725
                • Opcode Fuzzy Hash: 6c90e74db903de3ef02c37fe976d7dead5593df9659bc869962bc2bbc18686d7
                • Instruction Fuzzy Hash: 8A317CB2D01219AFDB11DF94DC45BEFBBB8EF08760F008226F915A3291DB755A44CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00286B50 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleA.KERNEL32(?), ref: 00286C7E
                • GetProcAddress.KERNEL32(00000000,?), ref: 00286C8A
                • CreateEventA.KERNEL32(00000000,00000001,00000000,?), ref: 00286E05
                • SetEvent.KERNEL32(00000000), ref: 00286E0C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: Event$AddressCreateHandleModuleProc
                • String ID: v<Ea
                • API String ID: 2341598627-4124759590
                • Opcode ID: 264d00001aa5f3ae595e92a6822ceb7ba3eec13cd7d85baea958d58fd02be9a8
                • Instruction ID: 914cb965c45adb32153111c1743c2228d1177fde163d49f684c5e0714fbeb353
                • Opcode Fuzzy Hash: 264d00001aa5f3ae595e92a6822ceb7ba3eec13cd7d85baea958d58fd02be9a8
                • Instruction Fuzzy Hash: 2081AEB491C3429FD304CF19D485A5AFBE4BF98790F10891EF89497361D7B0A949CF92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 002E24C0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 142COMMON
                Download Yara Rule
                APIs
                • GetVersionExA.KERNEL32(?,?), ref: 002E2510
                • GetTempPathW.KERNEL32(000000E6,?,?), ref: 002E2539
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: PathTempVersion
                • String ID: %s\etilqs_$>
                • API String ID: 261301950-2315843240
                • Opcode ID: 6451579ebaa1f5ce72e65555fd527c2d3ab48448400ab6dafad72549a974c6bb
                • Instruction ID: 38c321400c8bbee5128c5fb18ed7573cf33527361fbc32b39a936955352b8365
                • Opcode Fuzzy Hash: 6451579ebaa1f5ce72e65555fd527c2d3ab48448400ab6dafad72549a974c6bb
                • Instruction Fuzzy Hash: 105189709151D9DEE726CB268C257FAFBE8AF19300F8805E9D589920C2D7B44F89CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001EA6A9 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                Download Yara Rule
                APIs
                • __alloca_probe_16.LIBCMT ref: 001EA72E
                • __alloca_probe_16.LIBCMT ref: 001EA7F7
                • __freea.LIBCMT ref: 001EA85E
                  • Part of subcall function 001EB086: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,001D4B2F,?,?,76A923A0,?,?,001A3522,?,?), ref: 001EB0B8
                • __freea.LIBCMT ref: 001EA871
                • __freea.LIBCMT ref: 001EA87E
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: __freea$__alloca_probe_16$AllocateHeap
                • String ID:
                • API String ID: 1423051803-0
                • Opcode ID: 0f4f1994a430cd0609a411535eaddcde7df500161220a13030335bb44a1a26fb
                • Instruction ID: 53d31c550500cc2c0aa02df8d6f4f8c4ca6c819d505947331e89265002a45ab5
                • Opcode Fuzzy Hash: 0f4f1994a430cd0609a411535eaddcde7df500161220a13030335bb44a1a26fb
                • Instruction Fuzzy Hash: E5512772600A86AFEB205F62CC85EBF3BA9DF94751B550129FC05D6110EB30EC12C762
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001BC430 Relevance: 7.6, APIs: 5, Instructions: 119COMMON
                Download Yara Rule
                APIs
                • std::_Lockit::_Lockit.LIBCPMT ref: 001BC45A
                • std::_Lockit::_Lockit.LIBCPMT ref: 001BC47C
                • std::_Lockit::~_Lockit.LIBCPMT ref: 001BC4A4
                • std::_Facet_Register.LIBCPMT ref: 001BC59A
                • std::_Lockit::~_Lockit.LIBCPMT ref: 001BC5C4
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                • String ID:
                • API String ID: 459529453-0
                • Opcode ID: e0b165b433a4a7b35752091740ea6927895f165330bb4e0c95ced4285076cdb7
                • Instruction ID: c5cd1b13ef5be886850027ec6ff853e510b4f3691ebffe13814cd5927dbde2b5
                • Opcode Fuzzy Hash: e0b165b433a4a7b35752091740ea6927895f165330bb4e0c95ced4285076cdb7
                • Instruction Fuzzy Hash: 8B51A9B0A00249DBDB21DF98C855BAEBBF4FF10314F24819DE855AB381D7B5AA05CBD1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001D2BB8 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON
                Download Yara Rule
                APIs
                • GetCurrentThreadId.KERNEL32 ref: 001D2BCC
                • AcquireSRWLockExclusive.KERNEL32(00000008), ref: 001D2BEB
                • AcquireSRWLockExclusive.KERNEL32(00000008,00000000), ref: 001D2C19
                • TryAcquireSRWLockExclusive.KERNEL32(00000008,00000000), ref: 001D2C74
                • TryAcquireSRWLockExclusive.KERNEL32(00000008,00000000), ref: 001D2C8B
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: AcquireExclusiveLock$CurrentThread
                • String ID:
                • API String ID: 66001078-0
                • Opcode ID: 454333b4785e453dc241e61a230cf1dc06f979b49b17105264116ba3efbdf2b7
                • Instruction ID: deef6fdef992abb3a63e017eb21a173e0f6f20047f35e266fb14098c4706eb91
                • Opcode Fuzzy Hash: 454333b4785e453dc241e61a230cf1dc06f979b49b17105264116ba3efbdf2b7
                • Instruction Fuzzy Hash: 41413971A2060ADBCB24CF65D4949AEB3B4FF28361B20492BE46AD7740D730FD85DB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00282BA0 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 350COMMON
                Download Yara Rule
                APIs
                • GetWindowsDirectoryA.KERNEL32(?,00000104,?,00000000,00000000), ref: 00282C3F
                • GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00282F4B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: DirectoryInformationVolumeWindows
                • String ID: b'$v<Ea
                • API String ID: 3487004747-1729473818
                • Opcode ID: 860bf1a8c6fa07b6e1b961abbcecceaeccb75782a9af9345285a4dcc09fb2ae1
                • Instruction ID: 8aa46ed5649da581551b99f6d4c9823e433209c2336986fab3896fecb3d5d0b5
                • Opcode Fuzzy Hash: 860bf1a8c6fa07b6e1b961abbcecceaeccb75782a9af9345285a4dcc09fb2ae1
                • Instruction Fuzzy Hash: D3F146B4D102499BDB15CFA8C985BEEFBB1BF09304F244259E544BB381E7716A84CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00264420 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 325fileCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00284870: __fread_nolock.LIBCMT ref: 002849B9
                • DeleteFileA.KERNEL32(?), ref: 0026449B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: DeleteFile__fread_nolock
                • String ID: 2586$default$v<Ea
                • API String ID: 3901365830-3378637742
                • Opcode ID: 168a8920a18664be08bc6c955ef2df90bdbbecc1de9ee7f70cef9334aac30ef1
                • Instruction ID: bacbf26e439dcf6d7784614471a6bcea704e98e93ca43cd21416b97250b25e9a
                • Opcode Fuzzy Hash: 168a8920a18664be08bc6c955ef2df90bdbbecc1de9ee7f70cef9334aac30ef1
                • Instruction Fuzzy Hash: 34E1BAB4D00249CFCB01DFA8C945BAEBBB5BF59304F244159E945BB382D770AE85CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00272A20 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 218COMMON
                Download Yara Rule
                APIs
                • IsDebuggerPresent.KERNEL32 ref: 00272A40
                • IsProcessorFeaturePresent.KERNEL32(00000015), ref: 00272A4C
                • GetVolumeInformationA.KERNEL32(?,?,00000105,?,?,?,?,00000105), ref: 00272AF6
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: Present$DebuggerFeatureInformationProcessorVolume
                • String ID: v<Ea
                • API String ID: 3535182753-4124759590
                • Opcode ID: c4f80a937cb3cec245b03b06f733e948b08f2d702258fdf4a8bef315d3341af2
                • Instruction ID: aec10f3a22fb880fb16c339e25cfb0419ee2148881fd95110a7d265a82cc89b6
                • Opcode Fuzzy Hash: c4f80a937cb3cec245b03b06f733e948b08f2d702258fdf4a8bef315d3341af2
                • Instruction Fuzzy Hash: D6A110B5D1424DEBDB11CFA8D985AEDBBB5BF09304F248199D889BB300E7315B88DB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 002842D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleA.KERNEL32(?), ref: 002843D8
                • GetProcAddress.KERNEL32(00000000,?), ref: 002843E3
                • GetVersionExA.KERNEL32(?), ref: 002843FF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: AddressHandleModuleProcVersion
                • String ID: v<Ea
                • API String ID: 3310240892-4124759590
                • Opcode ID: b2891f550ed549a686dab0a1fb96280a7e21962eb45cc5a9b0aa9d59977cc38b
                • Instruction ID: d93e3f4a5426ffc4520564ffd975015cad9076fbb357d50ea167b60c3b48d973
                • Opcode Fuzzy Hash: b2891f550ed549a686dab0a1fb96280a7e21962eb45cc5a9b0aa9d59977cc38b
                • Instruction Fuzzy Hash: 3D51BCB9D1524DEBCB14DF98E985AEDBBB0FB08310F208199E855B3340E7306B90DB56
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A4900 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMON
                Download Yara Rule
                APIs
                • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 001A499F
                  • Part of subcall function 001D51EB: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,76A923A0,?,001D1CF9,?,003169D8,76A923A0,?,76A923A0,-00326880), ref: 001D524B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: ExceptionIos_base_dtorRaisestd::ios_base::_
                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                • API String ID: 1903096808-1866435925
                • Opcode ID: d0f9f333641f5727dfd210a82b337e69ccb00f729850ed7a928f058fcb59a403
                • Instruction ID: b8666b23c010ce08352a4f7e3aa4b22ae65551dbef832b4e90b18b78322cb66a
                • Opcode Fuzzy Hash: d0f9f333641f5727dfd210a82b337e69ccb00f729850ed7a928f058fcb59a403
                • Instruction Fuzzy Hash: AF118CB69446446BC714DF5CCC03BA77398D74A724F04462AFE68873C2EB74A910C792
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001D8577 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,001D8528,00000000,?,00325904,?,?,?,001D86CB,00000004,InitializeCriticalSectionEx,002FC640,InitializeCriticalSectionEx), ref: 001D8584
                • GetLastError.KERNEL32(?,001D8528,00000000,?,00325904,?,?,?,001D86CB,00000004,InitializeCriticalSectionEx,002FC640,InitializeCriticalSectionEx,00000000,?,001D8312), ref: 001D858E
                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 001D85B6
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: LibraryLoad$ErrorLast
                • String ID: api-ms-
                • API String ID: 3177248105-2084034818
                • Opcode ID: 6e8553cb92a28a364cd4efeb498bf9df3c3b717e8f0ca7974e0d86d1a67d5907
                • Instruction ID: 589a7b1d53a4fc24316b690a3781311b8d0f66fb111338a227ece6bff06c7301
                • Opcode Fuzzy Hash: 6e8553cb92a28a364cd4efeb498bf9df3c3b717e8f0ca7974e0d86d1a67d5907
                • Instruction Fuzzy Hash: 4EE01A7028020CB7EE111F61FC0AB683F55AB10BA4F140031FD0CA85A1EB62BAA09946
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00282950 Relevance: 6.1, APIs: 4, Instructions: 121COMMON
                Download Yara Rule
                APIs
                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 002829DF
                • MultiByteToWideChar.KERNEL32(0000000F,00000000,?,000000FF,00000000,0000000F), ref: 00282A14
                • WideCharToMultiByte.KERNEL32(000004E3,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 00282A3B
                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000), ref: 00282A69
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: ByteCharMultiWide
                • String ID:
                • API String ID: 626452242-0
                • Opcode ID: 1f11f9232ed43d3f43ace6c5d707e1fbf15fec710302c43ce945a90ad3fcfde3
                • Instruction ID: bb805dbe48daae7460b5c2431ec3a1eae7882038aade27496c353d70d678a6f7
                • Opcode Fuzzy Hash: 1f11f9232ed43d3f43ace6c5d707e1fbf15fec710302c43ce945a90ad3fcfde3
                • Instruction Fuzzy Hash: F941C370900316ABDB25DF64DC05FAE7AB8AF45710F104269F814BB2D1D7B99A04C7E5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 002E26B0 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                Download Yara Rule
                APIs
                • GetVersionExA.KERNEL32(?), ref: 002E26D6
                  • Part of subcall function 002E30A0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,002E2705), ref: 002E30B6
                • AreFileApisANSI.KERNEL32 ref: 002E2712
                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 002E272B
                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000), ref: 002E2751
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: ByteCharMultiWide$ApisFileVersion
                • String ID:
                • API String ID: 928063719-0
                • Opcode ID: e8fcaa0430c502af39a69937f6aa70e8de3cd787380246752a9a9876fbf6b6d1
                • Instruction ID: b327cc74f45c99be467657c3a05b0e35c6589ec5d397d5922c2856e8cb57b81c
                • Opcode Fuzzy Hash: e8fcaa0430c502af39a69937f6aa70e8de3cd787380246752a9a9876fbf6b6d1
                • Instruction Fuzzy Hash: 07115C72A502246AE730AB797C8AB7B739C9B05774F200275F90DD32C0DE7459548792
                Uniqueness

                Uniqueness Score: -1.00%

                Function 002E2CA0 Relevance: 6.1, APIs: 4, Instructions: 76fileCOMMON
                Download Yara Rule
                APIs
                • SetFilePointer.KERNEL32(00000000,00000000,?,00000000), ref: 002E2CC9
                • GetLastError.KERNEL32 ref: 002E2CD6
                • WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 002E2D0E
                • GetLastError.KERNEL32 ref: 002E2D3F
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: ErrorFileLast$PointerWrite
                • String ID:
                • API String ID: 2977825765-0
                • Opcode ID: 2e73c52ed1a0a64e88811b302977e912fd76211ef137e1d7497ace2d776d8ea5
                • Instruction ID: 351b80db7d1efed622181868eefc08cc631cd7d6e72494156a908e1cc4eb75f5
                • Opcode Fuzzy Hash: 2e73c52ed1a0a64e88811b302977e912fd76211ef137e1d7497ace2d776d8ea5
                • Instruction Fuzzy Hash: A021A43364024AEFCB20DFA9EC44BAA7BECEB08360F544166EE1DD7240DA31DD148B90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00284050 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                Download Yara Rule
                APIs
                • GetFileAttributesA.KERNEL32(?,?,00000006,00000005,00000005,?), ref: 002840AC
                • GetLastError.KERNEL32(?,?,00000006,00000005,00000005,?), ref: 002840B7
                • std::_Throw_Cpp_error.LIBCPMT ref: 002840FF
                • std::_Throw_Cpp_error.LIBCPMT ref: 00284110
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: Cpp_errorThrow_std::_$AttributesErrorFileLast
                • String ID:
                • API String ID: 995686243-0
                • Opcode ID: 783213d9cf8c4ebbc4962d07aad1bfb30ae6cac8ba66b1ff53e6dd7737e11ee7
                • Instruction ID: 9c1d41b86557a39bf65611e584be07f401775389146866c044679791634421fd
                • Opcode Fuzzy Hash: 783213d9cf8c4ebbc4962d07aad1bfb30ae6cac8ba66b1ff53e6dd7737e11ee7
                • Instruction Fuzzy Hash: A2115B755022479FCB397F28AC457AAB768AB23731F240329E5359B7C0DB3358788752
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001F097B Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                Download Yara Rule
                APIs
                • GetEnvironmentStringsW.KERNEL32 ref: 001F0983
                  • Part of subcall function 001EEC43: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,001EA854,?,00000000,-00000008), ref: 001EECA4
                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 001F09BB
                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 001F09DB
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                • String ID:
                • API String ID: 158306478-0
                • Opcode ID: 771b719db4deb6f15e54fae6e7fc1145f180fdc0ed10cc115508bdca9e6d7e04
                • Instruction ID: 52dba5f3e5517a1275230aadff14b473f5f1617359847e479a6891e4763d6a71
                • Opcode Fuzzy Hash: 771b719db4deb6f15e54fae6e7fc1145f180fdc0ed10cc115508bdca9e6d7e04
                • Instruction Fuzzy Hash: 881104F1905A4DBEA62267726CCDCBF2A7CEE993E87110024F609D2103FB619D0085B1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 002E2D60 Relevance: 6.1, APIs: 4, Instructions: 66fileCOMMON
                Download Yara Rule
                APIs
                • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 002E2D7F
                • GetLastError.KERNEL32 ref: 002E2D8A
                • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 002E2DB2
                • GetLastError.KERNEL32 ref: 002E2DBC
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: ErrorFileLast$PointerRead
                • String ID:
                • API String ID: 2170121939-0
                • Opcode ID: 094dddee3a64fa2b5445b0b8cb3149e6197904643032d42af693facc555c0755
                • Instruction ID: 9a1ede4bd2f91c9e90f19b4f72f7950176d711b543500aaa9bc9188102018f4e
                • Opcode Fuzzy Hash: 094dddee3a64fa2b5445b0b8cb3149e6197904643032d42af693facc555c0755
                • Instruction Fuzzy Hash: C5119172640109ABCB108FA9FC05FAABBACEF55371F008266FD1CC6250D771D8608BD1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 002E2AF0 Relevance: 6.1, APIs: 4, Instructions: 61fileCOMMON
                Download Yara Rule
                APIs
                • GetVersionExA.KERNEL32(?,00000000,?), ref: 002E2B17
                • LockFileEx.KERNEL32(?,00000001,00000000,000001FE,00000000,?,00000000,?), ref: 002E2B5B
                • LockFile.KERNEL32(?,?,00000000,00000001,00000000,00000000,?), ref: 002E2B98
                • GetLastError.KERNEL32 ref: 002E2BA4
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: FileLock$ErrorLastVersion
                • String ID:
                • API String ID: 1561719237-0
                • Opcode ID: 4214fb4ce69f034e3050a6d9675a58f86b6c7bf11b79d644754fd44693f2dd0d
                • Instruction ID: 56c216ab7ade2b8189c985f0f76f758378b2c44673fbf645e476ee58ba62da70
                • Opcode Fuzzy Hash: 4214fb4ce69f034e3050a6d9675a58f86b6c7bf11b79d644754fd44693f2dd0d
                • Instruction Fuzzy Hash: D711E2B0A50315EFE7208F65EC0ABAAB7B9EF04364F114169E509E62D0D7B89D148F91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001D2719 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 001D2720
                • std::_Lockit::_Lockit.LIBCPMT ref: 001D272B
                • std::_Lockit::~_Lockit.LIBCPMT ref: 001D2799
                  • Part of subcall function 001D287C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 001D2894
                • std::locale::_Setgloballocale.LIBCPMT ref: 001D2746
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
                • String ID:
                • API String ID: 677527491-0
                • Opcode ID: bad1594db04b1b6ef1d672596186c509e4a8c4cc05a2dab8f3a9b0e179617cb6
                • Instruction ID: 79844ae8b935431e99b94665a01ea1457a1d30b84f4d94c9b516d6895bcaf6ff
                • Opcode Fuzzy Hash: bad1594db04b1b6ef1d672596186c509e4a8c4cc05a2dab8f3a9b0e179617cb6
                • Instruction Fuzzy Hash: FB01BC75A006149BCB06EB30D84567D77A5BFA4790B08004AE82217381CF74AA02DBC2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 002E2C40 Relevance: 6.0, APIs: 4, Instructions: 35fileCOMMON
                Download Yara Rule
                APIs
                • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 002E2C5F
                • GetLastError.KERNEL32 ref: 002E2C6A
                • SetEndOfFile.KERNEL32(?), ref: 002E2C77
                • GetLastError.KERNEL32 ref: 002E2C81
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: ErrorFileLast$Pointer
                • String ID:
                • API String ID: 1697706070-0
                • Opcode ID: 9c75f7c4e5149bdb5b9bd6baf87ee3029fafb8a639c772330a31070650c30b50
                • Instruction ID: 2f9b94db04d33a1317b1ded1fe7ea7fe14af563f7d9c4fd1ff4877b50152f402
                • Opcode Fuzzy Hash: 9c75f7c4e5149bdb5b9bd6baf87ee3029fafb8a639c772330a31070650c30b50
                • Instruction Fuzzy Hash: 41F03671554209DFCB119F75FD05AAA77ACEB05370F10436AF82DD2250DB31DD249B81
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001F6D22 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • WriteConsoleW.KERNEL32(00000000,00000000,001DD537,00000000,00000000,?,001F3DBC,00000000,00000001,?,?,?,001E9281,?,00000000,00000000), ref: 001F6D39
                • GetLastError.KERNEL32(?,001F3DBC,00000000,00000001,?,?,?,001E9281,?,00000000,00000000,?,?,?,001E985B,00000000), ref: 001F6D45
                  • Part of subcall function 001F6D0B: CloseHandle.KERNEL32(FFFFFFFE,001F6D55,?,001F3DBC,00000000,00000001,?,?,?,001E9281,?,00000000,00000000,?,?), ref: 001F6D1B
                • ___initconout.LIBCMT ref: 001F6D55
                  • Part of subcall function 001F6CCD: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,001F6CFC,001F3DA9,?,?,001E9281,?,00000000,00000000,?), ref: 001F6CE0
                • WriteConsoleW.KERNEL32(00000000,00000000,001DD537,00000000,?,001F3DBC,00000000,00000001,?,?,?,001E9281,?,00000000,00000000,?), ref: 001F6D6A
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                • String ID:
                • API String ID: 2744216297-0
                • Opcode ID: 7b1900d6752ffd9bea48b1d356564641a3de9060293217b8dca3f7f1bed3a556
                • Instruction ID: d1cc5df5e8142de01501bce7028617a39d5caf822aa403694c66044996f25f7c
                • Opcode Fuzzy Hash: 7b1900d6752ffd9bea48b1d356564641a3de9060293217b8dca3f7f1bed3a556
                • Instruction Fuzzy Hash: 23F01C36101158BBCF231FD5EC08AAA3F6AFB083E0F014024FA4C85220C7328D20DB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A6180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 353COMMON
                Download Yara Rule
                APIs
                • ___std_exception_destroy.LIBVCRUNTIME ref: 001A6587
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: ___std_exception_destroy
                • String ID: ", "$: "
                • API String ID: 4194217158-747220369
                • Opcode ID: 5eeb5c3212586f244332853f7ce479bab7d06dbeffc0e2184a29e135df7e9b0d
                • Instruction ID: 94cd22dd2145b40cf490f7d40b8aba8ebf727f0bbe23057771ea79f2e11b591e
                • Opcode Fuzzy Hash: 5eeb5c3212586f244332853f7ce479bab7d06dbeffc0e2184a29e135df7e9b0d
                • Instruction Fuzzy Hash: ECD1D174E00204DFCB24DFA8C845AAEBBF5FF55700F24462EE465A7381DB70AA45CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A6B10 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 258COMMON
                Download Yara Rule
                APIs
                • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 001A6CF0
                • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 001A6D3E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: ___std_fs_directory_iterator_advance@8
                • String ID: .
                • API String ID: 2610647541-248832578
                • Opcode ID: 2440dcc1ec848f90b3706ef17d3ad674f2bd5f261ff5f723278d60daeefecd7d
                • Instruction ID: 4e636f0d21ac2a0eee7871e713e2c3e33833f9fc9755eec5cccca5b8b6019399
                • Opcode Fuzzy Hash: 2440dcc1ec848f90b3706ef17d3ad674f2bd5f261ff5f723278d60daeefecd7d
                • Instruction Fuzzy Hash: 2691167AA00626ABCB34DF68C4846B9B3B4FF16320F180259E895D7690D731FD55CBD0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A47F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMON
                Download Yara Rule
                APIs
                • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 001A499F
                  • Part of subcall function 001D51EB: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,76A923A0,?,001D1CF9,?,003169D8,76A923A0,?,76A923A0,-00326880), ref: 001D524B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: ExceptionIos_base_dtorRaisestd::ios_base::_
                • String ID: ios_base::badbit set$ios_base::failbit set
                • API String ID: 1903096808-1240500531
                • Opcode ID: 99540de8f328a8f0413c68eea87fa45eca2ce59630e1ecc2f35c19496bced564
                • Instruction ID: a3cf3ad0dd9ece538064922b47ebd0273d8980ba96b37b2a60a19d430ec16be8
                • Opcode Fuzzy Hash: 99540de8f328a8f0413c68eea87fa45eca2ce59630e1ecc2f35c19496bced564
                • Instruction Fuzzy Hash: DC4106B5D00248AFCB04DF58CC45BAEF7B8EB4A710F14826DF514A7382D7B56A00CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001A4040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                Download Yara Rule
                APIs
                • std::_Lockit::_Lockit.LIBCPMT ref: 001A4061
                • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 001A40C4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                • String ID: bad locale name
                • API String ID: 3988782225-1405518554
                • Opcode ID: 2860d29a2bca3f09cb58369a7f6775a5f6b6cc8434b7650f74826752bf91346e
                • Instruction ID: e6300df942a33353a4b281da49de1cd33c4f90db547dae757df399582e6be483
                • Opcode Fuzzy Hash: 2860d29a2bca3f09cb58369a7f6775a5f6b6cc8434b7650f74826752bf91346e
                • Instruction Fuzzy Hash: 6811D370805BC4EED321CF68C50478BBFF4AF25714F14868DE49597B81D3B59A04C791
                Uniqueness

                Uniqueness Score: -1.00%

                Function 001D463B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 001D4646
                • ___raise_securityfailure.LIBCMT ref: 001D4703
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3253687321.00000000001A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001A0000, based on PE: true
                • Associated: 00000000.00000002.3253664682.00000000001A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253824729.0000000000322000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253840895.0000000000324000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253858872.0000000000325000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000327000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.000000000032D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3253871364.0000000000330000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_ZtQY1K6aTi.jbxd
                Similarity
                • API ID: FeaturePresentProcessor___raise_securityfailure
                • String ID: xU2
                • API String ID: 3761405300-2864191595
                • Opcode ID: cd1ffa396ad368d5d99d2631eb7e95c49ed4adb7830138632d9f0fb8a2594772
                • Instruction ID: 7395d5168f6080ae01fb15321494850eb4ab8da886247975ebfc5c7f7dca8d50
                • Opcode Fuzzy Hash: cd1ffa396ad368d5d99d2631eb7e95c49ed4adb7830138632d9f0fb8a2594772
                • Instruction Fuzzy Hash: 1711E3B4511A04DFE722CF25F8896547BADFB18364F90612EE8098B360E7749786CF45
                Uniqueness

                Uniqueness Score: -1.00%