Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
wcNDx6MT9O.exe

Overview

General Information

Sample name:wcNDx6MT9O.exe
renamed because original name is a hash value
Original sample name:a2d59c9b9dfe1048afea948f5063f485765b429254fc018d6eefdc4be192106e.exe
Analysis ID:1466894
MD5:3deab4a2b72656bb263e29ee4ab44983
SHA1:87b64baab0c3b8bf7f718937debf02102a4649a9
SHA256:a2d59c9b9dfe1048afea948f5063f485765b429254fc018d6eefdc4be192106e
Tags:exeRemcosRAT
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wcNDx6MT9O.exe (PID: 2856 cmdline: "C:\Users\user\Desktop\wcNDx6MT9O.exe" MD5: 3DEAB4A2B72656BB263E29EE4AB44983)
    • powershell.exe (PID: 5856 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\wcNDx6MT9O.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7188 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7620 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7236 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\udDHoOiYEFTRf" /XML "C:\Users\user\AppData\Local\Temp\tmp3326.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • wcNDx6MT9O.exe (PID: 7376 cmdline: "C:\Users\user\Desktop\wcNDx6MT9O.exe" MD5: 3DEAB4A2B72656BB263E29EE4AB44983)
      • wcNDx6MT9O.exe (PID: 7868 cmdline: C:\Users\user\Desktop\wcNDx6MT9O.exe /stext "C:\Users\user\AppData\Local\Temp\aavmzypeykbx" MD5: 3DEAB4A2B72656BB263E29EE4AB44983)
      • wcNDx6MT9O.exe (PID: 7904 cmdline: C:\Users\user\Desktop\wcNDx6MT9O.exe /stext "C:\Users\user\AppData\Local\Temp\kciwarigmttcboj" MD5: 3DEAB4A2B72656BB263E29EE4AB44983)
      • wcNDx6MT9O.exe (PID: 7924 cmdline: C:\Users\user\Desktop\wcNDx6MT9O.exe /stext "C:\Users\user\AppData\Local\Temp\uwopajtzablhlufojfu" MD5: 3DEAB4A2B72656BB263E29EE4AB44983)
  • udDHoOiYEFTRf.exe (PID: 7504 cmdline: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exe MD5: 3DEAB4A2B72656BB263E29EE4AB44983)
    • schtasks.exe (PID: 7324 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\udDHoOiYEFTRf" /XML "C:\Users\user\AppData\Local\Temp\tmp496D.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • udDHoOiYEFTRf.exe (PID: 7172 cmdline: "C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exe" MD5: 3DEAB4A2B72656BB263E29EE4AB44983)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "107.173.4.16:2560:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "Rmc-KDW6BI", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.3680200622.00000000029BE000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000009.00000002.3678364652.0000000000D43000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000009.00000002.3677982562.0000000000D07000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0000001A.00000002.1299117760.0000000000DDA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          0000001A.00000002.1298673963.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            Click to see the 22 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            10.2.udDHoOiYEFTRf.exe.43e08a0.6.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              10.2.udDHoOiYEFTRf.exe.43e08a0.6.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                10.2.udDHoOiYEFTRf.exe.43e08a0.6.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                • 0x690a8:$a1: Remcos restarted by watchdog!
                • 0x69620:$a3: %02i:%02i:%02i:%03i
                10.2.udDHoOiYEFTRf.exe.43e08a0.6.unpackREMCOS_RAT_variantsunknownunknown
                • 0x630fc:$str_a1: C:\Windows\System32\cmd.exe
                • 0x63078:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x63078:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x63578:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                • 0x63da8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                • 0x6316c:$str_b2: Executing file:
                • 0x641ec:$str_b3: GetDirectListeningPort
                • 0x63b98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                • 0x63d18:$str_b7: \update.vbs
                • 0x63194:$str_b9: Downloaded file:
                • 0x63180:$str_b10: Downloading file:
                • 0x63224:$str_b12: Failed to upload file:
                • 0x641b4:$str_b13: StartForward
                • 0x641d4:$str_b14: StopForward
                • 0x63c70:$str_b15: fso.DeleteFile "
                • 0x63c04:$str_b16: On Error Resume Next
                • 0x63ca0:$str_b17: fso.DeleteFolder "
                • 0x63214:$str_b18: Uploaded file:
                • 0x631d4:$str_b19: Unable to delete:
                • 0x63c38:$str_b20: while fso.FileExists("
                • 0x636b1:$str_c0: [Firefox StoredLogins not found]
                10.2.udDHoOiYEFTRf.exe.43e08a0.6.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                • 0x62fe8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                • 0x62f7c:$s1: CoGetObject
                • 0x62f90:$s1: CoGetObject
                • 0x62fac:$s1: CoGetObject
                • 0x6cf38:$s1: CoGetObject
                • 0x62f3c:$s2: Elevation:Administrator!new:
                Click to see the 42 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\wcNDx6MT9O.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\wcNDx6MT9O.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\wcNDx6MT9O.exe", ParentImage: C:\Users\user\Desktop\wcNDx6MT9O.exe, ParentProcessId: 2856, ParentProcessName: wcNDx6MT9O.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\wcNDx6MT9O.exe", ProcessId: 5856, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\wcNDx6MT9O.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\wcNDx6MT9O.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\wcNDx6MT9O.exe", ParentImage: C:\Users\user\Desktop\wcNDx6MT9O.exe, ParentProcessId: 2856, ParentProcessName: wcNDx6MT9O.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\wcNDx6MT9O.exe", ProcessId: 5856, ProcessName: powershell.exe
                Sigma detected: Suspicious Add Scheduled Task Parent
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\udDHoOiYEFTRf" /XML "C:\Users\user\AppData\Local\Temp\tmp496D.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\udDHoOiYEFTRf" /XML "C:\Users\user\AppData\Local\Temp\tmp496D.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exe, ParentImage: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exe, ParentProcessId: 7504, ParentProcessName: udDHoOiYEFTRf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\udDHoOiYEFTRf" /XML "C:\Users\user\AppData\Local\Temp\tmp496D.tmp", ProcessId: 7324, ProcessName: schtasks.exe
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\udDHoOiYEFTRf" /XML "C:\Users\user\AppData\Local\Temp\tmp3326.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\udDHoOiYEFTRf" /XML "C:\Users\user\AppData\Local\Temp\tmp3326.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\wcNDx6MT9O.exe", ParentImage: C:\Users\user\Desktop\wcNDx6MT9O.exe, ParentProcessId: 2856, ParentProcessName: wcNDx6MT9O.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\udDHoOiYEFTRf" /XML "C:\Users\user\AppData\Local\Temp\tmp3326.tmp", ProcessId: 7236, ProcessName: schtasks.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\wcNDx6MT9O.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\wcNDx6MT9O.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\wcNDx6MT9O.exe", ParentImage: C:\Users\user\Desktop\wcNDx6MT9O.exe, ParentProcessId: 2856, ParentProcessName: wcNDx6MT9O.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\wcNDx6MT9O.exe", ProcessId: 5856, ProcessName: powershell.exe

                Persistence and Installation Behavior

                barindex
                Sigma detected: Scheduled temp file as task from temp location
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\udDHoOiYEFTRf" /XML "C:\Users\user\AppData\Local\Temp\tmp3326.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\udDHoOiYEFTRf" /XML "C:\Users\user\AppData\Local\Temp\tmp3326.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\wcNDx6MT9O.exe", ParentImage: C:\Users\user\Desktop\wcNDx6MT9O.exe, ParentProcessId: 2856, ParentProcessName: wcNDx6MT9O.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\udDHoOiYEFTRf" /XML "C:\Users\user\AppData\Local\Temp\tmp3326.tmp", ProcessId: 7236, ProcessName: schtasks.exe

                Stealing of Sensitive Information

                barindex
                Sigma detected: Remcos
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\wcNDx6MT9O.exe, ProcessId: 7376, TargetFilename: C:\ProgramData\remcos\logs.dat

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: wcNDx6MT9O.exeAvira: detected
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeAvira: detection malicious, Label: TR/AD.Remcos.bczkh
                Found malware configuration
                Source: 00000009.00000002.3677982562.0000000000D07000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "107.173.4.16:2560:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "Rmc-KDW6BI", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeReversingLabs: Detection: 73%
                Multi AV Scanner detection for submitted file
                Source: wcNDx6MT9O.exeReversingLabs: Detection: 73%
                Yara detected Remcos RAT
                Source: Yara matchFile source: 10.2.udDHoOiYEFTRf.exe.43e08a0.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 26.2.udDHoOiYEFTRf.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 26.2.udDHoOiYEFTRf.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.wcNDx6MT9O.exe.4cd0ab0.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.wcNDx6MT9O.exe.4d496d0.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.udDHoOiYEFTRf.exe.43e08a0.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.udDHoOiYEFTRf.exe.4367c80.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.udDHoOiYEFTRf.exe.4367c80.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.wcNDx6MT9O.exe.4d496d0.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.wcNDx6MT9O.exe.4cd0ab0.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.3680200622.00000000029BE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3678364652.0000000000D43000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3677982562.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000002.1299117760.0000000000DDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000002.1298673963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1323365621.000000000424D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1269149311.0000000004C0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: wcNDx6MT9O.exe PID: 2856, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: wcNDx6MT9O.exe PID: 7376, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: udDHoOiYEFTRf.exe PID: 7504, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: udDHoOiYEFTRf.exe PID: 7172, type: MEMORYSTR
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: wcNDx6MT9O.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,26_2_00433837
                Source: wcNDx6MT9O.exe, 00000000.00000002.1269149311.0000000004C0A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_b6788ae8-d

                Exploits

                barindex
                Yara detected UAC Bypass using CMSTP
                Source: Yara matchFile source: 10.2.udDHoOiYEFTRf.exe.43e08a0.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 26.2.udDHoOiYEFTRf.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 26.2.udDHoOiYEFTRf.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.wcNDx6MT9O.exe.4cd0ab0.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.wcNDx6MT9O.exe.4d496d0.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.udDHoOiYEFTRf.exe.43e08a0.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.udDHoOiYEFTRf.exe.4367c80.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.udDHoOiYEFTRf.exe.4367c80.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.wcNDx6MT9O.exe.4d496d0.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.wcNDx6MT9O.exe.4cd0ab0.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000001A.00000002.1298673963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1323365621.000000000424D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1269149311.0000000004C0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: wcNDx6MT9O.exe PID: 2856, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: udDHoOiYEFTRf.exe PID: 7504, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: udDHoOiYEFTRf.exe PID: 7172, type: MEMORYSTR

                Privilege Escalation

                barindex
                Contains functionality to bypass UAC (CMSTPLUA)
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_004074FD _wcslen,CoGetObject,26_2_004074FD
                Source: wcNDx6MT9O.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: wcNDx6MT9O.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 9_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,9_2_100010F1
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 9_2_10006580 FindFirstFileExA,9_2_10006580
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_0040AE51 FindFirstFileW,FindNextFileW,17_2_0040AE51
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 18_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,18_2_00407EF8
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 19_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,19_2_00407898
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,26_2_00409253
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,26_2_0041C291
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,26_2_0040C34D
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,26_2_00409665
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_0044E879 FindFirstFileExA,26_2_0044E879
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,26_2_0040880C
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_0040783C FindFirstFileW,FindNextFileW,26_2_0040783C
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,26_2_00419AF5
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,26_2_0040BB30
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,26_2_0040BD37
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,26_2_00407C97
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 4x nop then jmp 018A7781h0_2_018A718A
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 4x nop then jmp 07346979h10_2_07346382

                Networking

                barindex
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: 107.173.4.16
                Source: global trafficTCP traffic: 192.168.2.7:49701 -> 107.173.4.16:2560
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: Joe Sandbox ViewIP Address: 107.173.4.16 107.173.4.16
                Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: unknownTCP traffic detected without corresponding DNS query: 107.173.4.16
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,26_2_0041B380
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: wcNDx6MT9O.exe, 00000013.00000002.1275427104.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                Source: wcNDx6MT9O.exe, wcNDx6MT9O.exe, 00000013.00000002.1275427104.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                Source: wcNDx6MT9O.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                Source: wcNDx6MT9O.exe, 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                Source: wcNDx6MT9O.exe, 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                Source: bhv1B39.tmp.17.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                Source: bhv1B39.tmp.17.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                Source: bhv1B39.tmp.17.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                Source: bhv1B39.tmp.17.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                Source: bhv1B39.tmp.17.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                Source: wcNDx6MT9O.exe, 00000009.00000002.3677982562.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, wcNDx6MT9O.exe, 00000009.00000002.3678364652.0000000000D43000.00000004.00000020.00020000.00000000.sdmp, udDHoOiYEFTRf.exeString found in binary or memory: http://geoplugin.net/json.gp
                Source: wcNDx6MT9O.exe, 00000000.00000002.1269149311.0000000004C0A000.00000004.00000800.00020000.00000000.sdmp, udDHoOiYEFTRf.exe, 0000000A.00000002.1323365621.000000000424D000.00000004.00000800.00020000.00000000.sdmp, udDHoOiYEFTRf.exe, 0000001A.00000002.1298673963.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                Source: wcNDx6MT9O.exe, 00000009.00000002.3677982562.0000000000D07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpONTD~1
                Source: bhv1B39.tmp.17.drString found in binary or memory: http://ocsp.digicert.com0
                Source: wcNDx6MT9O.exe, 00000000.00000002.1268365827.0000000003525000.00000004.00000800.00020000.00000000.sdmp, udDHoOiYEFTRf.exe, 0000000A.00000002.1320720545.0000000003041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: wcNDx6MT9O.exe, wcNDx6MT9O.exe, 00000013.00000002.1275427104.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                Source: wcNDx6MT9O.exe, wcNDx6MT9O.exe, 00000013.00000002.1275427104.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                Source: wcNDx6MT9O.exe, 00000013.00000002.1275427104.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                Source: wcNDx6MT9O.exe, 00000013.00000002.1275427104.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                Source: wcNDx6MT9O.exe, 00000011.00000002.1288198307.0000000000EF3000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                Source: wcNDx6MT9O.exe, 00000013.00000002.1275427104.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                Source: wcNDx6MT9O.exe, 00000011.00000002.1289033264.0000000001158000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: wcNDx6MT9O.exe, 00000011.00000002.1289033264.0000000001158000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: wcNDx6MT9O.exe, 00000011.00000002.1289033264.0000000001158000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: wcNDx6MT9O.exeString found in binary or memory: https://login.yahoo.com/config/login
                Source: wcNDx6MT9O.exe, wcNDx6MT9O.exe, 00000013.00000002.1275427104.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: wcNDx6MT9O.exeString found in binary or memory: https://www.google.com/accounts/servicelogin

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to register a low level keyboard hook
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,0000000026_2_0040A2B8
                Installs a global keyboard hook
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\wcNDx6MT9O.exeJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_0041183A OpenClipboard,GetLastError,DeleteFileW,17_2_0041183A
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,17_2_0040987A
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,17_2_004098E2
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 18_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,18_2_00406DFC
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 18_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,18_2_00406E9F
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 19_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,19_2_004068B5
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 19_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,19_2_004072B5
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,26_2_004168C1
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,26_2_0040B70E
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,26_2_0040A3E0

                E-Banking Fraud

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 10.2.udDHoOiYEFTRf.exe.43e08a0.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 26.2.udDHoOiYEFTRf.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 26.2.udDHoOiYEFTRf.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.wcNDx6MT9O.exe.4cd0ab0.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.wcNDx6MT9O.exe.4d496d0.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.udDHoOiYEFTRf.exe.43e08a0.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.udDHoOiYEFTRf.exe.4367c80.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.udDHoOiYEFTRf.exe.4367c80.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.wcNDx6MT9O.exe.4d496d0.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.wcNDx6MT9O.exe.4cd0ab0.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.3680200622.00000000029BE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3678364652.0000000000D43000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3677982562.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000002.1299117760.0000000000DDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000002.1298673963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1323365621.000000000424D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1269149311.0000000004C0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: wcNDx6MT9O.exe PID: 2856, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: wcNDx6MT9O.exe PID: 7376, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: udDHoOiYEFTRf.exe PID: 7504, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: udDHoOiYEFTRf.exe PID: 7172, type: MEMORYSTR

                Spam, unwanted Advertisements and Ransom Demands

                barindex
                Contains functionalty to change the wallpaper
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_0041C9E2 SystemParametersInfoW,26_2_0041C9E2

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 10.2.udDHoOiYEFTRf.exe.43e08a0.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 10.2.udDHoOiYEFTRf.exe.43e08a0.6.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 10.2.udDHoOiYEFTRf.exe.43e08a0.6.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 26.2.udDHoOiYEFTRf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 26.2.udDHoOiYEFTRf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 26.2.udDHoOiYEFTRf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 26.2.udDHoOiYEFTRf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 26.2.udDHoOiYEFTRf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 26.2.udDHoOiYEFTRf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0.2.wcNDx6MT9O.exe.4cd0ab0.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.wcNDx6MT9O.exe.4cd0ab0.6.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 0.2.wcNDx6MT9O.exe.4cd0ab0.6.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0.2.wcNDx6MT9O.exe.4d496d0.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.wcNDx6MT9O.exe.4d496d0.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 0.2.wcNDx6MT9O.exe.4d496d0.4.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 10.2.udDHoOiYEFTRf.exe.43e08a0.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 10.2.udDHoOiYEFTRf.exe.43e08a0.6.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 10.2.udDHoOiYEFTRf.exe.43e08a0.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 10.2.udDHoOiYEFTRf.exe.4367c80.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 10.2.udDHoOiYEFTRf.exe.4367c80.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 10.2.udDHoOiYEFTRf.exe.4367c80.5.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 10.2.udDHoOiYEFTRf.exe.4367c80.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 10.2.udDHoOiYEFTRf.exe.4367c80.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0.2.wcNDx6MT9O.exe.4d496d0.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.wcNDx6MT9O.exe.4d496d0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0.2.wcNDx6MT9O.exe.4cd0ab0.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.wcNDx6MT9O.exe.4cd0ab0.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0000001A.00000002.1298673963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0000001A.00000002.1298673963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 0000001A.00000002.1298673963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0000000A.00000002.1323365621.000000000424D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000000.00000002.1269149311.0000000004C0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: wcNDx6MT9O.exe PID: 2856, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: udDHoOiYEFTRf.exe PID: 7504, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: udDHoOiYEFTRf.exe PID: 7172, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,17_2_0040DD85
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_00401806 NtdllDefWindowProc_W,17_2_00401806
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_004018C0 NtdllDefWindowProc_W,17_2_004018C0
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 18_2_004016FD NtdllDefWindowProc_A,18_2_004016FD
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 18_2_004017B7 NtdllDefWindowProc_A,18_2_004017B7
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 19_2_00402CAC NtdllDefWindowProc_A,19_2_00402CAC
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 19_2_00402D66 NtdllDefWindowProc_A,19_2_00402D66
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,26_2_004167B4
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 0_2_018A8DF80_2_018A8DF8
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 0_2_018A48210_2_018A4821
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 0_2_018A08380_2_018A0838
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 0_2_018A48300_2_018A4830
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 0_2_018A23090_2_018A2309
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 0_2_018A23180_2_018A2318
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 0_2_018A83400_2_018A8340
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 0_2_018A0C690_2_018A0C69
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 0_2_018A0C700_2_018A0C70
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 0_2_018A274D0_2_018A274D
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 0_2_018A27500_2_018A2750
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 0_2_031E4B010_2_031E4B01
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 0_2_031ED5BC0_2_031ED5BC
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 0_2_057971980_2_05797198
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 0_2_057900400_2_05790040
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 0_2_057900070_2_05790007
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 0_2_057957C70_2_057957C7
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 0_2_0579718B0_2_0579718B
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 0_2_057999470_2_05799947
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 0_2_0E559E080_2_0E559E08
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 0_2_0E552CE80_2_0E552CE8
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 0_2_0E5592780_2_0E559278
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 0_2_0E55E1180_2_0E55E118
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 0_2_0E5531800_2_0E553180
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 0_2_0E552CD90_2_0E552CD9
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 0_2_0E558CC80_2_0E558CC8
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 0_2_0E558C8F0_2_0E558C8F
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 0_2_0E559DF80_2_0E559DF8
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 0_2_0E55926B0_2_0E55926B
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 0_2_0E5543B80_2_0E5543B8
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 0_2_0E5543A80_2_0E5543A8
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 0_2_0E5500400_2_0E550040
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 0_2_0E5500060_2_0E550006
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 0_2_0E5530F80_2_0E5530F8
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 0_2_0E55310D0_2_0E55310D
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 9_2_100171949_2_10017194
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 9_2_1000B5C19_2_1000B5C1
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 10_2_012BD5BC10_2_012BD5BC
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 10_2_0158E11810_2_0158E118
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 10_2_0158318010_2_01583180
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 10_2_0158927810_2_01589278
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 10_2_01582CE810_2_01582CE8
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 10_2_0158310D10_2_0158310D
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 10_2_0158004010_2_01580040
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 10_2_0158000610_2_01580006
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 10_2_015830F810_2_015830F8
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 10_2_015870A810_2_015870A8
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 10_2_01582B1710_2_01582B17
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 10_2_015873D010_2_015873D0
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 10_2_015873C010_2_015873C0
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 10_2_015843B810_2_015843B8
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 10_2_015843A810_2_015843A8
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 10_2_0158926B10_2_0158926B
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 10_2_01589DF810_2_01589DF8
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 10_2_01582CDB10_2_01582CDB
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 10_2_01588CC810_2_01588CC8
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 10_2_01588CB810_2_01588CB8
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 10_2_01589E0810_2_01589E08
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 10_2_07347FF810_2_07347FF8
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 10_2_0734275010_2_07342750
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 10_2_0734274110_2_07342741
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 10_2_07344E7010_2_07344E70
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 10_2_07344E5F10_2_07344E5F
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 10_2_07340C7010_2_07340C70
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 10_2_07340C6210_2_07340C62
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 10_2_0734231810_2_07342318
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 10_2_0734230910_2_07342309
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 10_2_0734083810_2_07340838
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 10_2_0734080610_2_07340806
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_0044B04017_2_0044B040
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_0043610D17_2_0043610D
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_0044731017_2_00447310
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_0044A49017_2_0044A490
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_0040755A17_2_0040755A
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_0043C56017_2_0043C560
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_0044B61017_2_0044B610
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_0044D6C017_2_0044D6C0
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_004476F017_2_004476F0
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_0044B87017_2_0044B870
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_0044081D17_2_0044081D
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_0041495717_2_00414957
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_004079EE17_2_004079EE
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_00407AEB17_2_00407AEB
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_0044AA8017_2_0044AA80
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_00412AA917_2_00412AA9
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_00404B7417_2_00404B74
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_00404B0317_2_00404B03
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_0044BBD817_2_0044BBD8
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_00404BE517_2_00404BE5
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_00404C7617_2_00404C76
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_00415CFE17_2_00415CFE
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_00416D7217_2_00416D72
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_00446D3017_2_00446D30
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_00446D8B17_2_00446D8B
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_00406E8F17_2_00406E8F
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 18_2_0040503818_2_00405038
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 18_2_0041208C18_2_0041208C
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 18_2_004050A918_2_004050A9
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 18_2_0040511A18_2_0040511A
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 18_2_0043C13A18_2_0043C13A
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 18_2_004051AB18_2_004051AB
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 18_2_0044930018_2_00449300
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 18_2_0040D32218_2_0040D322
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 18_2_0044A4F018_2_0044A4F0
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 18_2_0043A5AB18_2_0043A5AB
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 18_2_0041363118_2_00413631
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 18_2_0044669018_2_00446690
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 18_2_0044A73018_2_0044A730
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 18_2_004398D818_2_004398D8
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 18_2_004498E018_2_004498E0
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 18_2_0044A88618_2_0044A886
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 18_2_0043DA0918_2_0043DA09
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 18_2_00438D5E18_2_00438D5E
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 18_2_00449ED018_2_00449ED0
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 18_2_0041FE8318_2_0041FE83
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 18_2_00430F5418_2_00430F54
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 19_2_004050C219_2_004050C2
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 19_2_004014AB19_2_004014AB
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 19_2_0040513319_2_00405133
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 19_2_004051A419_2_004051A4
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 19_2_0040124619_2_00401246
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 19_2_0040CA4619_2_0040CA46
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 19_2_0040523519_2_00405235
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 19_2_004032C819_2_004032C8
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 19_2_0040168919_2_00401689
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 19_2_00402F6019_2_00402F60
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_0043E0CC26_2_0043E0CC
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_0041F0FA26_2_0041F0FA
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_0045415926_2_00454159
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_0043816826_2_00438168
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_004461F026_2_004461F0
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_0043E2FB26_2_0043E2FB
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_0045332B26_2_0045332B
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_0042739D26_2_0042739D
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_004374E626_2_004374E6
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_0043E55826_2_0043E558
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_0043877026_2_00438770
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_004378FE26_2_004378FE
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_0043394626_2_00433946
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_0044D9C926_2_0044D9C9
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_00427A4626_2_00427A46
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_0041DB6226_2_0041DB62
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_00427BAF26_2_00427BAF
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_00437D3326_2_00437D33
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_00435E5E26_2_00435E5E
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_00426E0E26_2_00426E0E
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_0043DE9D26_2_0043DE9D
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_00413FCA26_2_00413FCA
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_00436FEA26_2_00436FEA
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: String function: 004169A7 appears 87 times
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: String function: 0044DB70 appears 41 times
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: String function: 004165FF appears 35 times
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: String function: 00422297 appears 42 times
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: String function: 00444B5A appears 37 times
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: String function: 00413025 appears 79 times
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: String function: 00416760 appears 69 times
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: String function: 00434E10 appears 54 times
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: String function: 00402093 appears 50 times
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: String function: 00434770 appears 41 times
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: String function: 00401E65 appears 34 times
                Source: wcNDx6MT9O.exe, 00000000.00000000.1224785523.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameXbEe.exeH vs wcNDx6MT9O.exe
                Source: wcNDx6MT9O.exe, 00000000.00000002.1289068824.000000000E8E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs wcNDx6MT9O.exe
                Source: wcNDx6MT9O.exe, 00000000.00000002.1287356953.0000000008BB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs wcNDx6MT9O.exe
                Source: wcNDx6MT9O.exe, 00000000.00000002.1269149311.0000000004F6F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs wcNDx6MT9O.exe
                Source: wcNDx6MT9O.exe, 00000000.00000002.1286566142.0000000005D50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs wcNDx6MT9O.exe
                Source: wcNDx6MT9O.exe, 00000000.00000002.1269149311.0000000004219000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs wcNDx6MT9O.exe
                Source: wcNDx6MT9O.exe, 00000000.00000002.1265974107.00000000014AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs wcNDx6MT9O.exe
                Source: wcNDx6MT9O.exe, 00000000.00000002.1287356953.0000000008C2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXbEe.exeH vs wcNDx6MT9O.exe
                Source: wcNDx6MT9O.exeBinary or memory string: OriginalFileName vs wcNDx6MT9O.exe
                Source: wcNDx6MT9O.exe, 00000013.00000002.1275427104.000000000041B000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs wcNDx6MT9O.exe
                Source: wcNDx6MT9O.exeBinary or memory string: OriginalFilenameXbEe.exeH vs wcNDx6MT9O.exe
                Source: wcNDx6MT9O.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 10.2.udDHoOiYEFTRf.exe.43e08a0.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 10.2.udDHoOiYEFTRf.exe.43e08a0.6.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 10.2.udDHoOiYEFTRf.exe.43e08a0.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 26.2.udDHoOiYEFTRf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 26.2.udDHoOiYEFTRf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 26.2.udDHoOiYEFTRf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 26.2.udDHoOiYEFTRf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 26.2.udDHoOiYEFTRf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 26.2.udDHoOiYEFTRf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0.2.wcNDx6MT9O.exe.4cd0ab0.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.wcNDx6MT9O.exe.4cd0ab0.6.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0.2.wcNDx6MT9O.exe.4cd0ab0.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0.2.wcNDx6MT9O.exe.4d496d0.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.wcNDx6MT9O.exe.4d496d0.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0.2.wcNDx6MT9O.exe.4d496d0.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 10.2.udDHoOiYEFTRf.exe.43e08a0.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 10.2.udDHoOiYEFTRf.exe.43e08a0.6.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 10.2.udDHoOiYEFTRf.exe.43e08a0.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 10.2.udDHoOiYEFTRf.exe.4367c80.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 10.2.udDHoOiYEFTRf.exe.4367c80.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 10.2.udDHoOiYEFTRf.exe.4367c80.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 10.2.udDHoOiYEFTRf.exe.4367c80.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 10.2.udDHoOiYEFTRf.exe.4367c80.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0.2.wcNDx6MT9O.exe.4d496d0.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.wcNDx6MT9O.exe.4d496d0.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0.2.wcNDx6MT9O.exe.4cd0ab0.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.wcNDx6MT9O.exe.4cd0ab0.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0000001A.00000002.1298673963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0000001A.00000002.1298673963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0000001A.00000002.1298673963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0000000A.00000002.1323365621.000000000424D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000000.00000002.1269149311.0000000004C0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: wcNDx6MT9O.exe PID: 2856, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: udDHoOiYEFTRf.exe PID: 7504, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: udDHoOiYEFTRf.exe PID: 7172, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: wcNDx6MT9O.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: udDHoOiYEFTRf.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.wcNDx6MT9O.exe.4fc7130.3.raw.unpack, O0ixJHJCCpGHlJVqSq.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.wcNDx6MT9O.exe.4fc7130.3.raw.unpack, O0ixJHJCCpGHlJVqSq.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.wcNDx6MT9O.exe.4fc7130.3.raw.unpack, O0ixJHJCCpGHlJVqSq.csSecurity API names: _0020.AddAccessRule
                Source: 10.2.udDHoOiYEFTRf.exe.412be20.3.raw.unpack, jtWnDg0cSfWELCDUka.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.wcNDx6MT9O.exe.e8e0000.10.raw.unpack, jtWnDg0cSfWELCDUka.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.wcNDx6MT9O.exe.4fc7130.3.raw.unpack, jtWnDg0cSfWELCDUka.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.wcNDx6MT9O.exe.e8e0000.10.raw.unpack, O0ixJHJCCpGHlJVqSq.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.wcNDx6MT9O.exe.e8e0000.10.raw.unpack, O0ixJHJCCpGHlJVqSq.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.wcNDx6MT9O.exe.e8e0000.10.raw.unpack, O0ixJHJCCpGHlJVqSq.csSecurity API names: _0020.AddAccessRule
                Source: 10.2.udDHoOiYEFTRf.exe.412be20.3.raw.unpack, O0ixJHJCCpGHlJVqSq.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 10.2.udDHoOiYEFTRf.exe.412be20.3.raw.unpack, O0ixJHJCCpGHlJVqSq.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 10.2.udDHoOiYEFTRf.exe.412be20.3.raw.unpack, O0ixJHJCCpGHlJVqSq.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.wcNDx6MT9O.exe.3240408.0.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                Source: 0.2.wcNDx6MT9O.exe.7430000.9.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                Source: 0.2.wcNDx6MT9O.exe.3250420.1.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                Source: 10.2.udDHoOiYEFTRf.exe.30b4094.2.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                Source: 10.2.udDHoOiYEFTRf.exe.30c40ac.0.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@25/19@1/2
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,17_2_004182CE
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 19_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification,19_2_00410DE1
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,26_2_00417952
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,??3@YAXPAX@Z,17_2_00418758
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,??3@YAXPAX@Z,Process32NextW,FindCloseChangeNotification,17_2_00413D4C
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,17_2_0040B58D
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,26_2_0041AA4A
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeFile created: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeMutant created: \Sessions\1\BaseNamedObjects\sVZWOneco
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7412:120:WilError_03
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6340:120:WilError_03
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-KDW6BI
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7204:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7284:120:WilError_03
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3326.tmpJump to behavior
                Source: wcNDx6MT9O.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: wcNDx6MT9O.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSystem information queried: HandleInformation
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: wcNDx6MT9O.exe, wcNDx6MT9O.exe, 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                Source: wcNDx6MT9O.exe, wcNDx6MT9O.exe, 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: wcNDx6MT9O.exe, 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: wcNDx6MT9O.exe, wcNDx6MT9O.exe, 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                Source: wcNDx6MT9O.exe, wcNDx6MT9O.exe, 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: wcNDx6MT9O.exe, wcNDx6MT9O.exe, 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: wcNDx6MT9O.exe, wcNDx6MT9O.exe, 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                Source: wcNDx6MT9O.exeReversingLabs: Detection: 73%
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeFile read: C:\Users\user\Desktop\wcNDx6MT9O.exeJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_18-33248
                Source: unknownProcess created: C:\Users\user\Desktop\wcNDx6MT9O.exe "C:\Users\user\Desktop\wcNDx6MT9O.exe"
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\wcNDx6MT9O.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\udDHoOiYEFTRf" /XML "C:\Users\user\AppData\Local\Temp\tmp3326.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess created: C:\Users\user\Desktop\wcNDx6MT9O.exe "C:\Users\user\Desktop\wcNDx6MT9O.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exe C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exe
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess created: C:\Users\user\Desktop\wcNDx6MT9O.exe C:\Users\user\Desktop\wcNDx6MT9O.exe /stext "C:\Users\user\AppData\Local\Temp\aavmzypeykbx"
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess created: C:\Users\user\Desktop\wcNDx6MT9O.exe C:\Users\user\Desktop\wcNDx6MT9O.exe /stext "C:\Users\user\AppData\Local\Temp\kciwarigmttcboj"
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess created: C:\Users\user\Desktop\wcNDx6MT9O.exe C:\Users\user\Desktop\wcNDx6MT9O.exe /stext "C:\Users\user\AppData\Local\Temp\uwopajtzablhlufojfu"
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\udDHoOiYEFTRf" /XML "C:\Users\user\AppData\Local\Temp\tmp496D.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess created: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exe "C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exe"
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\wcNDx6MT9O.exe"Jump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exe"Jump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\udDHoOiYEFTRf" /XML "C:\Users\user\AppData\Local\Temp\tmp3326.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess created: C:\Users\user\Desktop\wcNDx6MT9O.exe "C:\Users\user\Desktop\wcNDx6MT9O.exe"Jump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess created: C:\Users\user\Desktop\wcNDx6MT9O.exe C:\Users\user\Desktop\wcNDx6MT9O.exe /stext "C:\Users\user\AppData\Local\Temp\aavmzypeykbx"Jump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess created: C:\Users\user\Desktop\wcNDx6MT9O.exe C:\Users\user\Desktop\wcNDx6MT9O.exe /stext "C:\Users\user\AppData\Local\Temp\kciwarigmttcboj"Jump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess created: C:\Users\user\Desktop\wcNDx6MT9O.exe C:\Users\user\Desktop\wcNDx6MT9O.exe /stext "C:\Users\user\AppData\Local\Temp\uwopajtzablhlufojfu"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\udDHoOiYEFTRf" /XML "C:\Users\user\AppData\Local\Temp\tmp496D.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess created: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exe "C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exe"Jump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: version.dll
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: wininet.dll
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: wldp.dll
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: sspicli.dll
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: iertutil.dll
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: profapi.dll
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: pstorec.dll
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: vaultcli.dll
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: wintypes.dll
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: dpapi.dll
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: msasn1.dll
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: wldp.dll
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: pstorec.dll
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: sspicli.dll
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: msasn1.dll
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: msasn1.dll
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: wldp.dll
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: msasn1.dll
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: sspicli.dll
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: cryptbase.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: winmm.dll
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: urlmon.dll
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: wininet.dll
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: iertutil.dll
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: srvcli.dll
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: netutils.dll
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: rstrtmgr.dll
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: ncrypt.dll
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: ntasn1.dll
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeFile opened: C:\Users\user\Desktop\wcNDx6MT9O.cfg
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                Source: wcNDx6MT9O.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: wcNDx6MT9O.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: wcNDx6MT9O.exe, Form1.cs.Net Code: InitializeComponent
                Source: udDHoOiYEFTRf.exe.0.dr, Form1.cs.Net Code: InitializeComponent
                Source: 0.2.wcNDx6MT9O.exe.e8e0000.10.raw.unpack, O0ixJHJCCpGHlJVqSq.cs.Net Code: Q2ss8jJ7IV System.Reflection.Assembly.Load(byte[])
                Source: 0.2.wcNDx6MT9O.exe.4219970.5.raw.unpack, LoginForm.cs.Net Code: _200E_202E_200D_206C_202E_206B_200C_200E_206F_206F_202A_206E_202D_206B_206F_202A_202A_206C_206C_200C_206B_206E_202A_206D_200D_202B_200F_206A_202E_200B_202A_202E_202B_202C_200C_202A_206C_202A_206B_200E_202E System.Reflection.Assembly.Load(byte[])
                Source: 0.2.wcNDx6MT9O.exe.4fc7130.3.raw.unpack, O0ixJHJCCpGHlJVqSq.cs.Net Code: Q2ss8jJ7IV System.Reflection.Assembly.Load(byte[])
                Source: 10.2.udDHoOiYEFTRf.exe.412be20.3.raw.unpack, O0ixJHJCCpGHlJVqSq.cs.Net Code: Q2ss8jJ7IV System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,17_2_004044A4
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 0_2_018A0797 push E990059Eh; retf 0_2_018A079C
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 0_2_031EF590 pushfd ; iretd 0_2_031EF599
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 0_2_0E552475 push cs; ret 0_2_0E552488
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 9_2_10002806 push ecx; ret 9_2_10002819
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 10_2_07340797 push E990057Fh; retf 10_2_0734079C
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_0044693D push ecx; ret 17_2_0044694D
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_0044DB70 push eax; ret 17_2_0044DB84
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_0044DB70 push eax; ret 17_2_0044DBAC
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_00451D54 push eax; ret 17_2_00451D61
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 18_2_0044B090 push eax; ret 18_2_0044B0A4
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 18_2_0044B090 push eax; ret 18_2_0044B0CC
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 18_2_00451D34 push eax; ret 18_2_00451D41
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 18_2_00444E71 push ecx; ret 18_2_00444E81
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 19_2_00414060 push eax; ret 19_2_00414074
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 19_2_00414060 push eax; ret 19_2_0041409C
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 19_2_00414039 push ecx; ret 19_2_00414049
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 19_2_004164EB push 0000006Ah; retf 19_2_004165C4
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 19_2_00416553 push 0000006Ah; retf 19_2_004165C4
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 19_2_00416555 push 0000006Ah; retf 19_2_004165C4
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_00457106 push ecx; ret 26_2_00457119
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_0045B11A push esp; ret 26_2_0045B141
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_0045E54D push esi; ret 26_2_0045E556
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_00457A28 push eax; ret 26_2_00457A46
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_00434E56 push ecx; ret 26_2_00434E69
                Source: wcNDx6MT9O.exeStatic PE information: section name: .text entropy: 7.979597620755101
                Source: udDHoOiYEFTRf.exe.0.drStatic PE information: section name: .text entropy: 7.979597620755101
                Source: 0.2.wcNDx6MT9O.exe.e8e0000.10.raw.unpack, sQI9H7b4fynIl8VmTd.csHigh entropy of concatenated method names: 'NMsm1M5PVC', 'usimAs3hl7', 'f4PmVqjCQy', 'PprmNVlJ8q', 'kckm5WfhEO', 'H8umyuABWl', 'S7MmJunxVq', 'cfUmkgNOOV', 'NH2mPNlCUr', 'fYHmgOgJZF'
                Source: 0.2.wcNDx6MT9O.exe.e8e0000.10.raw.unpack, vYFSIDHBgdqCf20gw9E.csHigh entropy of concatenated method names: 'hhbIuVQxIo', 'PCbItQjOjX', 'cJQI8Sc4lF', 'OAjILlMPdu', 'CAlIMuZVpS', 'QNuI2LYT9a', 'sTpIiEr4f4', 'brpI08rwXt', 'cjlIUCHogx', 'tGNIaDuExU'
                Source: 0.2.wcNDx6MT9O.exe.e8e0000.10.raw.unpack, FPDSfOzUOURJrcVNn8.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JP5IrR5nEF', 'y12IdN4Xul', 'NdeIfuaxAQ', 'X1mIXfwgYq', 'KUZImILaZ4', 'aHjIIphEFv', 'Ca6IO01JHA'
                Source: 0.2.wcNDx6MT9O.exe.e8e0000.10.raw.unpack, mR8SLixX3WsIs6EtVr.csHigh entropy of concatenated method names: 'FhhXbfa16P', 'RS1X4Zw9AP', 'rtrmBPLtTq', 'vBsmHvERCW', 'XdSX3fQWwx', 'xOOXFbUSm5', 'rdrXT0e5pC', 'y1jXClrvVs', 'gcIXDQuZ4K', 'MMCXQrhDru'
                Source: 0.2.wcNDx6MT9O.exe.e8e0000.10.raw.unpack, mETe3e9eJ7WkxHYTha.csHigh entropy of concatenated method names: 'HQtXP8vhph', 'zWmXgUqieU', 'ToString', 'zxCX178NGb', 'dUMXAyvBMy', 'wEMXVF6gGp', 'U98XNnvD0q', 'jUFX5BQVvu', 'UrxXyYg9CT', 'pYWXJPfkqr'
                Source: 0.2.wcNDx6MT9O.exe.e8e0000.10.raw.unpack, w0gtIRaOXHZ2QP1fM1.csHigh entropy of concatenated method names: 'mY4NMoUMn1', 'M0rNilpLCl', 'pbOVK7WVPP', 'o2tVwMSbSY', 'n4SVvBFPlQ', 'aiNVei5jri', 'ulkVERrmi5', 'yZoVjtOH6L', 'VKAV7PtJN8', 'LxdVRWENcC'
                Source: 0.2.wcNDx6MT9O.exe.e8e0000.10.raw.unpack, jtWnDg0cSfWELCDUka.csHigh entropy of concatenated method names: 'yAaACCjedN', 'RPuADVbfd9', 'klGAQ8FHYQ', 'bRnA9rB1bT', 'TPNAhUv5tY', 'gpOAxoRmt9', 'dJCAZyawMN', 'H8LAbTW1F2', 'OciAGTB00E', 'OBnA4B9OTx'
                Source: 0.2.wcNDx6MT9O.exe.e8e0000.10.raw.unpack, oeCUdqGTkfhC9g3eDN.csHigh entropy of concatenated method names: 'SStmW2JRjS', 'riamYpmESH', 'YyDmK8R8s3', 'HS1mwo6yKm', 'kAOmCQqMJI', 'AQjmvnVXqB', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.wcNDx6MT9O.exe.e8e0000.10.raw.unpack, ch39ygTmoAVi4SgNt2.csHigh entropy of concatenated method names: 'fThr0xeNPw', 'P2prUC9Rjw', 'f0ErWmnLyQ', 'RV5rYSae2m', 'BhSrwRZcnD', 'iXorvn9p5A', 'J1FrEp1CsA', 'kBerjOA9fL', 'aPyrRHOmPe', 'HwTr3fco6c'
                Source: 0.2.wcNDx6MT9O.exe.e8e0000.10.raw.unpack, O0ixJHJCCpGHlJVqSq.csHigh entropy of concatenated method names: 'MSTlcle7yV', 'tqyl14l6Vq', 'Kt4lANKoyT', 'emglV2fbsQ', 'wn0lN9jWMr', 'Cj3l570j2r', 'ucSlyAowtR', 'xnUlJgOHMW', 'ltZlkWlDJN', 'FZalP4N0Er'
                Source: 0.2.wcNDx6MT9O.exe.e8e0000.10.raw.unpack, GfN18RSvm5sBKTe34j.csHigh entropy of concatenated method names: 'r4E8v2l3x', 'K5NLVTagP', 'hS72ldbMU', 'pQkiqpE9M', 'cq4UGroGO', 'JUCaiG510', 'okbflhVUHDt0pWmNBI', 'RPoi43e7412hwVcdHU', 'l5DmCt2nF', 'fCkOYqGDC'
                Source: 0.2.wcNDx6MT9O.exe.e8e0000.10.raw.unpack, X8q2DAU4CsgHjQGmBI.csHigh entropy of concatenated method names: 'DmuVLdslSC', 'hwIV2uk8D2', 'ULfV0gBOBB', 'eXsVUEHdUl', 'nWUVd8lXFQ', 'jHAVfW2nSJ', 'KMFVXpj3X8', 'kXKVmnA2e7', 'ulUVIu7RmZ', 'qwAVOWxoTi'
                Source: 0.2.wcNDx6MT9O.exe.e8e0000.10.raw.unpack, dE0oRC75a8GXQofHYg.csHigh entropy of concatenated method names: 'kcayuHPCLW', 'ofjytRnv6u', 'CRiy8Nh4cp', 'HnZyL7wS9U', 'F5kyMJQqli', 'KTwy2JGhGn', 'hXfyiaiOTT', 'YUHy0xMmpD', 's1wyUxxOC8', 'eNoyaaOXeG'
                Source: 0.2.wcNDx6MT9O.exe.e8e0000.10.raw.unpack, HUEaTcA4P0w5x2Cyyy.csHigh entropy of concatenated method names: 'Dispose', 'PSlHGtj0vq', 'Gr8SYQDbtg', 'HMLPP7Saoh', 'IIQH4I9H74', 'pynHzIl8Vm', 'ProcessDialogKey', 'QddSBeCUdq', 'PkfSHhC9g3', 'KDNSSCfvZW'
                Source: 0.2.wcNDx6MT9O.exe.e8e0000.10.raw.unpack, QfvZW242W7h8u1nPhm.csHigh entropy of concatenated method names: 'AhQIHW25uY', 'TPZIlIP6o0', 'xgPIsA5LJu', 'hvHI12R7fI', 'dajIA5Nn5F', 'RE4IN82RG7', 'Jr2I5Uudju', 'R0VmZOWmy6', 'GdGmb7QO8s', 'RU0mGQRpIP'
                Source: 0.2.wcNDx6MT9O.exe.e8e0000.10.raw.unpack, HS7wt7HllKZKgIxj1Mh.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lxyOCy1xci', 'lCwODpbn0k', 'H8qOQRJGn3', 'IClO9y0Hmt', 'PJiOhWjv8f', 'WLdOx7m46h', 'nwXOZSnQY6'
                Source: 0.2.wcNDx6MT9O.exe.e8e0000.10.raw.unpack, RngeWtWPQugBgDmLQE.csHigh entropy of concatenated method names: 'Yno5cn4uoC', 'vpG5AdDguj', 'nQS5NFoPoL', 'iCx5y61nXO', 'CRF5JpaVmo', 'q3qNhUQq2c', 'PCNNxr1IAE', 'WHCNZlItl0', 'JEbNb8fXOt', 'xyANG3a7nr'
                Source: 0.2.wcNDx6MT9O.exe.e8e0000.10.raw.unpack, pBVVkeEteMVkRhYmt4.csHigh entropy of concatenated method names: 'wFFy1AqgAx', 'gUByVr9lNN', 'wYLy5ixNKU', 'C3g54n5Y6l', 'oy95zBuxeM', 'a8eyBVcuj9', 'Ta3yHQumMP', 'YlCySXKWTS', 'pfkylkxRfb', 'T1lysKfNMB'
                Source: 0.2.wcNDx6MT9O.exe.e8e0000.10.raw.unpack, Lbv3DxsrfgleJMRY4g.csHigh entropy of concatenated method names: 'qSyHytWnDg', 'eSfHJWELCD', 'g4CHPsgHjQ', 'YmBHgIp0gt', 'm1fHdM1Cng', 'JWtHfPQugB', 'ovYkjZtyjVdFy9lEk5', 'W0V1PLLUL66qg1b76U', 'tM1HHDZjYm', 'wuEHlKrwhD'
                Source: 0.2.wcNDx6MT9O.exe.e8e0000.10.raw.unpack, oeaRAKQnCqu6p8ySPx.csHigh entropy of concatenated method names: 'ToString', 'Tf3f3ctCwq', 'dbUfYImff0', 'm0pfKpCtm0', 'Co3fwiBS26', 'a2ffvMdehN', 'OOifeQWAuf', 'hrrfEBFfSi', 'dTLfjAJol5', 'DsZf7lWyDy'
                Source: 0.2.wcNDx6MT9O.exe.4fc7130.3.raw.unpack, sQI9H7b4fynIl8VmTd.csHigh entropy of concatenated method names: 'NMsm1M5PVC', 'usimAs3hl7', 'f4PmVqjCQy', 'PprmNVlJ8q', 'kckm5WfhEO', 'H8umyuABWl', 'S7MmJunxVq', 'cfUmkgNOOV', 'NH2mPNlCUr', 'fYHmgOgJZF'
                Source: 0.2.wcNDx6MT9O.exe.4fc7130.3.raw.unpack, vYFSIDHBgdqCf20gw9E.csHigh entropy of concatenated method names: 'hhbIuVQxIo', 'PCbItQjOjX', 'cJQI8Sc4lF', 'OAjILlMPdu', 'CAlIMuZVpS', 'QNuI2LYT9a', 'sTpIiEr4f4', 'brpI08rwXt', 'cjlIUCHogx', 'tGNIaDuExU'
                Source: 0.2.wcNDx6MT9O.exe.4fc7130.3.raw.unpack, FPDSfOzUOURJrcVNn8.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JP5IrR5nEF', 'y12IdN4Xul', 'NdeIfuaxAQ', 'X1mIXfwgYq', 'KUZImILaZ4', 'aHjIIphEFv', 'Ca6IO01JHA'
                Source: 0.2.wcNDx6MT9O.exe.4fc7130.3.raw.unpack, mR8SLixX3WsIs6EtVr.csHigh entropy of concatenated method names: 'FhhXbfa16P', 'RS1X4Zw9AP', 'rtrmBPLtTq', 'vBsmHvERCW', 'XdSX3fQWwx', 'xOOXFbUSm5', 'rdrXT0e5pC', 'y1jXClrvVs', 'gcIXDQuZ4K', 'MMCXQrhDru'
                Source: 0.2.wcNDx6MT9O.exe.4fc7130.3.raw.unpack, mETe3e9eJ7WkxHYTha.csHigh entropy of concatenated method names: 'HQtXP8vhph', 'zWmXgUqieU', 'ToString', 'zxCX178NGb', 'dUMXAyvBMy', 'wEMXVF6gGp', 'U98XNnvD0q', 'jUFX5BQVvu', 'UrxXyYg9CT', 'pYWXJPfkqr'
                Source: 0.2.wcNDx6MT9O.exe.4fc7130.3.raw.unpack, w0gtIRaOXHZ2QP1fM1.csHigh entropy of concatenated method names: 'mY4NMoUMn1', 'M0rNilpLCl', 'pbOVK7WVPP', 'o2tVwMSbSY', 'n4SVvBFPlQ', 'aiNVei5jri', 'ulkVERrmi5', 'yZoVjtOH6L', 'VKAV7PtJN8', 'LxdVRWENcC'
                Source: 0.2.wcNDx6MT9O.exe.4fc7130.3.raw.unpack, jtWnDg0cSfWELCDUka.csHigh entropy of concatenated method names: 'yAaACCjedN', 'RPuADVbfd9', 'klGAQ8FHYQ', 'bRnA9rB1bT', 'TPNAhUv5tY', 'gpOAxoRmt9', 'dJCAZyawMN', 'H8LAbTW1F2', 'OciAGTB00E', 'OBnA4B9OTx'
                Source: 0.2.wcNDx6MT9O.exe.4fc7130.3.raw.unpack, oeCUdqGTkfhC9g3eDN.csHigh entropy of concatenated method names: 'SStmW2JRjS', 'riamYpmESH', 'YyDmK8R8s3', 'HS1mwo6yKm', 'kAOmCQqMJI', 'AQjmvnVXqB', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.wcNDx6MT9O.exe.4fc7130.3.raw.unpack, ch39ygTmoAVi4SgNt2.csHigh entropy of concatenated method names: 'fThr0xeNPw', 'P2prUC9Rjw', 'f0ErWmnLyQ', 'RV5rYSae2m', 'BhSrwRZcnD', 'iXorvn9p5A', 'J1FrEp1CsA', 'kBerjOA9fL', 'aPyrRHOmPe', 'HwTr3fco6c'
                Source: 0.2.wcNDx6MT9O.exe.4fc7130.3.raw.unpack, O0ixJHJCCpGHlJVqSq.csHigh entropy of concatenated method names: 'MSTlcle7yV', 'tqyl14l6Vq', 'Kt4lANKoyT', 'emglV2fbsQ', 'wn0lN9jWMr', 'Cj3l570j2r', 'ucSlyAowtR', 'xnUlJgOHMW', 'ltZlkWlDJN', 'FZalP4N0Er'
                Source: 0.2.wcNDx6MT9O.exe.4fc7130.3.raw.unpack, GfN18RSvm5sBKTe34j.csHigh entropy of concatenated method names: 'r4E8v2l3x', 'K5NLVTagP', 'hS72ldbMU', 'pQkiqpE9M', 'cq4UGroGO', 'JUCaiG510', 'okbflhVUHDt0pWmNBI', 'RPoi43e7412hwVcdHU', 'l5DmCt2nF', 'fCkOYqGDC'
                Source: 0.2.wcNDx6MT9O.exe.4fc7130.3.raw.unpack, X8q2DAU4CsgHjQGmBI.csHigh entropy of concatenated method names: 'DmuVLdslSC', 'hwIV2uk8D2', 'ULfV0gBOBB', 'eXsVUEHdUl', 'nWUVd8lXFQ', 'jHAVfW2nSJ', 'KMFVXpj3X8', 'kXKVmnA2e7', 'ulUVIu7RmZ', 'qwAVOWxoTi'
                Source: 0.2.wcNDx6MT9O.exe.4fc7130.3.raw.unpack, dE0oRC75a8GXQofHYg.csHigh entropy of concatenated method names: 'kcayuHPCLW', 'ofjytRnv6u', 'CRiy8Nh4cp', 'HnZyL7wS9U', 'F5kyMJQqli', 'KTwy2JGhGn', 'hXfyiaiOTT', 'YUHy0xMmpD', 's1wyUxxOC8', 'eNoyaaOXeG'
                Source: 0.2.wcNDx6MT9O.exe.4fc7130.3.raw.unpack, HUEaTcA4P0w5x2Cyyy.csHigh entropy of concatenated method names: 'Dispose', 'PSlHGtj0vq', 'Gr8SYQDbtg', 'HMLPP7Saoh', 'IIQH4I9H74', 'pynHzIl8Vm', 'ProcessDialogKey', 'QddSBeCUdq', 'PkfSHhC9g3', 'KDNSSCfvZW'
                Source: 0.2.wcNDx6MT9O.exe.4fc7130.3.raw.unpack, QfvZW242W7h8u1nPhm.csHigh entropy of concatenated method names: 'AhQIHW25uY', 'TPZIlIP6o0', 'xgPIsA5LJu', 'hvHI12R7fI', 'dajIA5Nn5F', 'RE4IN82RG7', 'Jr2I5Uudju', 'R0VmZOWmy6', 'GdGmb7QO8s', 'RU0mGQRpIP'
                Source: 0.2.wcNDx6MT9O.exe.4fc7130.3.raw.unpack, HS7wt7HllKZKgIxj1Mh.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lxyOCy1xci', 'lCwODpbn0k', 'H8qOQRJGn3', 'IClO9y0Hmt', 'PJiOhWjv8f', 'WLdOx7m46h', 'nwXOZSnQY6'
                Source: 0.2.wcNDx6MT9O.exe.4fc7130.3.raw.unpack, RngeWtWPQugBgDmLQE.csHigh entropy of concatenated method names: 'Yno5cn4uoC', 'vpG5AdDguj', 'nQS5NFoPoL', 'iCx5y61nXO', 'CRF5JpaVmo', 'q3qNhUQq2c', 'PCNNxr1IAE', 'WHCNZlItl0', 'JEbNb8fXOt', 'xyANG3a7nr'
                Source: 0.2.wcNDx6MT9O.exe.4fc7130.3.raw.unpack, pBVVkeEteMVkRhYmt4.csHigh entropy of concatenated method names: 'wFFy1AqgAx', 'gUByVr9lNN', 'wYLy5ixNKU', 'C3g54n5Y6l', 'oy95zBuxeM', 'a8eyBVcuj9', 'Ta3yHQumMP', 'YlCySXKWTS', 'pfkylkxRfb', 'T1lysKfNMB'
                Source: 0.2.wcNDx6MT9O.exe.4fc7130.3.raw.unpack, Lbv3DxsrfgleJMRY4g.csHigh entropy of concatenated method names: 'qSyHytWnDg', 'eSfHJWELCD', 'g4CHPsgHjQ', 'YmBHgIp0gt', 'm1fHdM1Cng', 'JWtHfPQugB', 'ovYkjZtyjVdFy9lEk5', 'W0V1PLLUL66qg1b76U', 'tM1HHDZjYm', 'wuEHlKrwhD'
                Source: 0.2.wcNDx6MT9O.exe.4fc7130.3.raw.unpack, oeaRAKQnCqu6p8ySPx.csHigh entropy of concatenated method names: 'ToString', 'Tf3f3ctCwq', 'dbUfYImff0', 'm0pfKpCtm0', 'Co3fwiBS26', 'a2ffvMdehN', 'OOifeQWAuf', 'hrrfEBFfSi', 'dTLfjAJol5', 'DsZf7lWyDy'
                Source: 10.2.udDHoOiYEFTRf.exe.412be20.3.raw.unpack, sQI9H7b4fynIl8VmTd.csHigh entropy of concatenated method names: 'NMsm1M5PVC', 'usimAs3hl7', 'f4PmVqjCQy', 'PprmNVlJ8q', 'kckm5WfhEO', 'H8umyuABWl', 'S7MmJunxVq', 'cfUmkgNOOV', 'NH2mPNlCUr', 'fYHmgOgJZF'
                Source: 10.2.udDHoOiYEFTRf.exe.412be20.3.raw.unpack, vYFSIDHBgdqCf20gw9E.csHigh entropy of concatenated method names: 'hhbIuVQxIo', 'PCbItQjOjX', 'cJQI8Sc4lF', 'OAjILlMPdu', 'CAlIMuZVpS', 'QNuI2LYT9a', 'sTpIiEr4f4', 'brpI08rwXt', 'cjlIUCHogx', 'tGNIaDuExU'
                Source: 10.2.udDHoOiYEFTRf.exe.412be20.3.raw.unpack, FPDSfOzUOURJrcVNn8.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JP5IrR5nEF', 'y12IdN4Xul', 'NdeIfuaxAQ', 'X1mIXfwgYq', 'KUZImILaZ4', 'aHjIIphEFv', 'Ca6IO01JHA'
                Source: 10.2.udDHoOiYEFTRf.exe.412be20.3.raw.unpack, mR8SLixX3WsIs6EtVr.csHigh entropy of concatenated method names: 'FhhXbfa16P', 'RS1X4Zw9AP', 'rtrmBPLtTq', 'vBsmHvERCW', 'XdSX3fQWwx', 'xOOXFbUSm5', 'rdrXT0e5pC', 'y1jXClrvVs', 'gcIXDQuZ4K', 'MMCXQrhDru'
                Source: 10.2.udDHoOiYEFTRf.exe.412be20.3.raw.unpack, mETe3e9eJ7WkxHYTha.csHigh entropy of concatenated method names: 'HQtXP8vhph', 'zWmXgUqieU', 'ToString', 'zxCX178NGb', 'dUMXAyvBMy', 'wEMXVF6gGp', 'U98XNnvD0q', 'jUFX5BQVvu', 'UrxXyYg9CT', 'pYWXJPfkqr'
                Source: 10.2.udDHoOiYEFTRf.exe.412be20.3.raw.unpack, w0gtIRaOXHZ2QP1fM1.csHigh entropy of concatenated method names: 'mY4NMoUMn1', 'M0rNilpLCl', 'pbOVK7WVPP', 'o2tVwMSbSY', 'n4SVvBFPlQ', 'aiNVei5jri', 'ulkVERrmi5', 'yZoVjtOH6L', 'VKAV7PtJN8', 'LxdVRWENcC'
                Source: 10.2.udDHoOiYEFTRf.exe.412be20.3.raw.unpack, jtWnDg0cSfWELCDUka.csHigh entropy of concatenated method names: 'yAaACCjedN', 'RPuADVbfd9', 'klGAQ8FHYQ', 'bRnA9rB1bT', 'TPNAhUv5tY', 'gpOAxoRmt9', 'dJCAZyawMN', 'H8LAbTW1F2', 'OciAGTB00E', 'OBnA4B9OTx'
                Source: 10.2.udDHoOiYEFTRf.exe.412be20.3.raw.unpack, oeCUdqGTkfhC9g3eDN.csHigh entropy of concatenated method names: 'SStmW2JRjS', 'riamYpmESH', 'YyDmK8R8s3', 'HS1mwo6yKm', 'kAOmCQqMJI', 'AQjmvnVXqB', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 10.2.udDHoOiYEFTRf.exe.412be20.3.raw.unpack, ch39ygTmoAVi4SgNt2.csHigh entropy of concatenated method names: 'fThr0xeNPw', 'P2prUC9Rjw', 'f0ErWmnLyQ', 'RV5rYSae2m', 'BhSrwRZcnD', 'iXorvn9p5A', 'J1FrEp1CsA', 'kBerjOA9fL', 'aPyrRHOmPe', 'HwTr3fco6c'
                Source: 10.2.udDHoOiYEFTRf.exe.412be20.3.raw.unpack, O0ixJHJCCpGHlJVqSq.csHigh entropy of concatenated method names: 'MSTlcle7yV', 'tqyl14l6Vq', 'Kt4lANKoyT', 'emglV2fbsQ', 'wn0lN9jWMr', 'Cj3l570j2r', 'ucSlyAowtR', 'xnUlJgOHMW', 'ltZlkWlDJN', 'FZalP4N0Er'
                Source: 10.2.udDHoOiYEFTRf.exe.412be20.3.raw.unpack, GfN18RSvm5sBKTe34j.csHigh entropy of concatenated method names: 'r4E8v2l3x', 'K5NLVTagP', 'hS72ldbMU', 'pQkiqpE9M', 'cq4UGroGO', 'JUCaiG510', 'okbflhVUHDt0pWmNBI', 'RPoi43e7412hwVcdHU', 'l5DmCt2nF', 'fCkOYqGDC'
                Source: 10.2.udDHoOiYEFTRf.exe.412be20.3.raw.unpack, X8q2DAU4CsgHjQGmBI.csHigh entropy of concatenated method names: 'DmuVLdslSC', 'hwIV2uk8D2', 'ULfV0gBOBB', 'eXsVUEHdUl', 'nWUVd8lXFQ', 'jHAVfW2nSJ', 'KMFVXpj3X8', 'kXKVmnA2e7', 'ulUVIu7RmZ', 'qwAVOWxoTi'
                Source: 10.2.udDHoOiYEFTRf.exe.412be20.3.raw.unpack, dE0oRC75a8GXQofHYg.csHigh entropy of concatenated method names: 'kcayuHPCLW', 'ofjytRnv6u', 'CRiy8Nh4cp', 'HnZyL7wS9U', 'F5kyMJQqli', 'KTwy2JGhGn', 'hXfyiaiOTT', 'YUHy0xMmpD', 's1wyUxxOC8', 'eNoyaaOXeG'
                Source: 10.2.udDHoOiYEFTRf.exe.412be20.3.raw.unpack, HUEaTcA4P0w5x2Cyyy.csHigh entropy of concatenated method names: 'Dispose', 'PSlHGtj0vq', 'Gr8SYQDbtg', 'HMLPP7Saoh', 'IIQH4I9H74', 'pynHzIl8Vm', 'ProcessDialogKey', 'QddSBeCUdq', 'PkfSHhC9g3', 'KDNSSCfvZW'
                Source: 10.2.udDHoOiYEFTRf.exe.412be20.3.raw.unpack, QfvZW242W7h8u1nPhm.csHigh entropy of concatenated method names: 'AhQIHW25uY', 'TPZIlIP6o0', 'xgPIsA5LJu', 'hvHI12R7fI', 'dajIA5Nn5F', 'RE4IN82RG7', 'Jr2I5Uudju', 'R0VmZOWmy6', 'GdGmb7QO8s', 'RU0mGQRpIP'
                Source: 10.2.udDHoOiYEFTRf.exe.412be20.3.raw.unpack, HS7wt7HllKZKgIxj1Mh.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lxyOCy1xci', 'lCwODpbn0k', 'H8qOQRJGn3', 'IClO9y0Hmt', 'PJiOhWjv8f', 'WLdOx7m46h', 'nwXOZSnQY6'
                Source: 10.2.udDHoOiYEFTRf.exe.412be20.3.raw.unpack, RngeWtWPQugBgDmLQE.csHigh entropy of concatenated method names: 'Yno5cn4uoC', 'vpG5AdDguj', 'nQS5NFoPoL', 'iCx5y61nXO', 'CRF5JpaVmo', 'q3qNhUQq2c', 'PCNNxr1IAE', 'WHCNZlItl0', 'JEbNb8fXOt', 'xyANG3a7nr'
                Source: 10.2.udDHoOiYEFTRf.exe.412be20.3.raw.unpack, pBVVkeEteMVkRhYmt4.csHigh entropy of concatenated method names: 'wFFy1AqgAx', 'gUByVr9lNN', 'wYLy5ixNKU', 'C3g54n5Y6l', 'oy95zBuxeM', 'a8eyBVcuj9', 'Ta3yHQumMP', 'YlCySXKWTS', 'pfkylkxRfb', 'T1lysKfNMB'
                Source: 10.2.udDHoOiYEFTRf.exe.412be20.3.raw.unpack, Lbv3DxsrfgleJMRY4g.csHigh entropy of concatenated method names: 'qSyHytWnDg', 'eSfHJWELCD', 'g4CHPsgHjQ', 'YmBHgIp0gt', 'm1fHdM1Cng', 'JWtHfPQugB', 'ovYkjZtyjVdFy9lEk5', 'W0V1PLLUL66qg1b76U', 'tM1HHDZjYm', 'wuEHlKrwhD'
                Source: 10.2.udDHoOiYEFTRf.exe.412be20.3.raw.unpack, oeaRAKQnCqu6p8ySPx.csHigh entropy of concatenated method names: 'ToString', 'Tf3f3ctCwq', 'dbUfYImff0', 'm0pfKpCtm0', 'Co3fwiBS26', 'a2ffvMdehN', 'OOifeQWAuf', 'hrrfEBFfSi', 'dTLfjAJol5', 'DsZf7lWyDy'
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_00406EB0 ShellExecuteW,URLDownloadToFileW,26_2_00406EB0
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeFile created: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\udDHoOiYEFTRf" /XML "C:\Users\user\AppData\Local\Temp\tmp3326.tmp"
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,26_2_0041AA4A

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 18_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,18_2_004047CB
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: wcNDx6MT9O.exe PID: 2856, type: MEMORYSTR
                Delayed program exit found
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_0040F7A7 Sleep,ExitProcess,26_2_0040F7A7
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeMemory allocated: 1860000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeMemory allocated: 3210000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeMemory allocated: 1860000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeMemory allocated: 8F10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeMemory allocated: 9F10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeMemory allocated: A100000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeMemory allocated: B100000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeMemory allocated: B4E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeMemory allocated: C4E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeMemory allocated: D4E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeMemory allocated: E9A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeMemory allocated: F9A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeMemory allocated: 109A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeMemory allocated: 119A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeMemory allocated: 12B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeMemory allocated: 3040000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeMemory allocated: 1510000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeMemory allocated: 88F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeMemory allocated: 98F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeMemory allocated: 9AD0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeMemory allocated: AAD0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeMemory allocated: AE80000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeMemory allocated: BE80000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeMemory allocated: 9AD0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeMemory allocated: AE80000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeMemory allocated: BE80000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,17_2_0040DD85
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,26_2_0041A748
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1113Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8533Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 986Jump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeWindow / User API: threadDelayed 517Jump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeWindow / User API: threadDelayed 8938Jump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeWindow / User API: foregroundWindowGot 1768Jump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeAPI coverage: 9.7 %
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeAPI coverage: 6.3 %
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exe TID: 3960Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7492Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7408Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7496Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exe TID: 7460Thread sleep count: 257 > 30Jump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exe TID: 7460Thread sleep time: -128500s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exe TID: 7464Thread sleep count: 517 > 30Jump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exe TID: 7464Thread sleep time: -1551000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exe TID: 7464Thread sleep count: 8938 > 30Jump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exe TID: 7464Thread sleep time: -26814000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exe TID: 7528Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 9_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,9_2_100010F1
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 9_2_10006580 FindFirstFileExA,9_2_10006580
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_0040AE51 FindFirstFileW,FindNextFileW,17_2_0040AE51
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 18_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,18_2_00407EF8
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 19_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,19_2_00407898
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,26_2_00409253
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,26_2_0041C291
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,26_2_0040C34D
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,26_2_00409665
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_0044E879 FindFirstFileExA,26_2_0044E879
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,26_2_0040880C
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_0040783C FindFirstFileW,FindNextFileW,26_2_0040783C
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,26_2_00419AF5
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,26_2_0040BB30
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,26_2_0040BD37
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,26_2_00407C97
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_00418981 memset,GetSystemInfo,17_2_00418981
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: wcNDx6MT9O.exe, 00000009.00000002.3678364652.0000000000D8F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWv
                Source: wcNDx6MT9O.exe, 00000009.00000002.3677982562.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, wcNDx6MT9O.exe, 00000009.00000002.3678364652.0000000000D8F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeAPI call chain: ExitProcess graph end nodegraph_18-34127
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 9_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_100060E2
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,17_2_0040DD85
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,17_2_004044A4
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 9_2_10004AB4 mov eax, dword ptr fs:[00000030h]9_2_10004AB4
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_004432B5 mov eax, dword ptr fs:[00000030h]26_2_004432B5
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 9_2_1000724E GetProcessHeap,9_2_1000724E
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 9_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_100060E2
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 9_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_10002639
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 9_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_10002B1C
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,26_2_004349F9
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_00434B47 SetUnhandledExceptionFilter,26_2_00434B47
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,26_2_0043BB22
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,26_2_00434FDC
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\wcNDx6MT9O.exe"
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exe"
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\wcNDx6MT9O.exe"Jump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exe"Jump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeMemory written: C:\Users\user\Desktop\wcNDx6MT9O.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeMemory written: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: NULL target: C:\Users\user\Desktop\wcNDx6MT9O.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: NULL target: C:\Users\user\Desktop\wcNDx6MT9O.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeSection loaded: NULL target: C:\Users\user\Desktop\wcNDx6MT9O.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe26_2_004120F7
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_00419627 mouse_event,26_2_00419627
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\wcNDx6MT9O.exe"Jump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exe"Jump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\udDHoOiYEFTRf" /XML "C:\Users\user\AppData\Local\Temp\tmp3326.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess created: C:\Users\user\Desktop\wcNDx6MT9O.exe "C:\Users\user\Desktop\wcNDx6MT9O.exe"Jump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess created: C:\Users\user\Desktop\wcNDx6MT9O.exe C:\Users\user\Desktop\wcNDx6MT9O.exe /stext "C:\Users\user\AppData\Local\Temp\aavmzypeykbx"Jump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess created: C:\Users\user\Desktop\wcNDx6MT9O.exe C:\Users\user\Desktop\wcNDx6MT9O.exe /stext "C:\Users\user\AppData\Local\Temp\kciwarigmttcboj"Jump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeProcess created: C:\Users\user\Desktop\wcNDx6MT9O.exe C:\Users\user\Desktop\wcNDx6MT9O.exe /stext "C:\Users\user\AppData\Local\Temp\uwopajtzablhlufojfu"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\udDHoOiYEFTRf" /XML "C:\Users\user\AppData\Local\Temp\tmp496D.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeProcess created: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exe "C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exe"Jump to behavior
                Source: wcNDx6MT9O.exe, 00000009.00000002.3677982562.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, wcNDx6MT9O.exe, 00000009.00000002.3678364652.0000000000D43000.00000004.00000020.00020000.00000000.sdmp, wcNDx6MT9O.exe, 00000009.00000002.3678364652.0000000000D7A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: wcNDx6MT9O.exe, 00000009.00000002.3678364652.0000000000D7A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerBI\26
                Source: wcNDx6MT9O.exe, 00000009.00000002.3678364652.0000000000D7A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerBI\
                Source: wcNDx6MT9O.exe, 00000009.00000002.3677982562.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, wcNDx6MT9O.exe, 00000009.00000002.3678364652.0000000000D43000.00000004.00000020.00020000.00000000.sdmp, wcNDx6MT9O.exe, 00000009.00000002.3678364652.0000000000D86000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [2024/07/03 08:51:02 Program Manager]
                Source: wcNDx6MT9O.exe, 00000009.00000002.3678364652.0000000000D7A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
                Source: wcNDx6MT9O.exe, 00000009.00000002.3677982562.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, wcNDx6MT9O.exe, 00000009.00000002.3678364652.0000000000D43000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 9_2_10002933 cpuid 9_2_10002933
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: EnumSystemLocalesW,26_2_00452036
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,26_2_004520C3
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: GetLocaleInfoW,26_2_00452313
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: EnumSystemLocalesW,26_2_00448404
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,26_2_0045243C
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: GetLocaleInfoW,26_2_00452543
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,26_2_00452610
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: GetLocaleInfoA,26_2_0040F8D1
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: GetLocaleInfoW,26_2_004488ED
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,26_2_00451CD8
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: EnumSystemLocalesW,26_2_00451F50
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: EnumSystemLocalesW,26_2_00451F9B
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeQueries volume information: C:\Users\user\Desktop\wcNDx6MT9O.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeQueries volume information: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 9_2_10002264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,9_2_10002264
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 18_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,18_2_004082CD
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: 26_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,26_2_00449190
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: 17_2_0041739B GetVersionExW,17_2_0041739B
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 10.2.udDHoOiYEFTRf.exe.43e08a0.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 26.2.udDHoOiYEFTRf.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 26.2.udDHoOiYEFTRf.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.wcNDx6MT9O.exe.4cd0ab0.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.wcNDx6MT9O.exe.4d496d0.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.udDHoOiYEFTRf.exe.43e08a0.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.udDHoOiYEFTRf.exe.4367c80.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.udDHoOiYEFTRf.exe.4367c80.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.wcNDx6MT9O.exe.4d496d0.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.wcNDx6MT9O.exe.4cd0ab0.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.3680200622.00000000029BE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3678364652.0000000000D43000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3677982562.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000002.1299117760.0000000000DDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000002.1298673963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1323365621.000000000424D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1269149311.0000000004C0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: wcNDx6MT9O.exe PID: 2856, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: wcNDx6MT9O.exe PID: 7376, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: udDHoOiYEFTRf.exe PID: 7504, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: udDHoOiYEFTRf.exe PID: 7172, type: MEMORYSTR
                Contains functionality to steal Chrome passwords or cookies
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data26_2_0040BA12
                Contains functionality to steal Firefox passwords or cookies
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\26_2_0040BB30
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: \key3.db26_2_0040BB30
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                Tries to steal Instant Messenger accounts or passwords
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeKey opened: HKEY_CURRENT_USER\Software\Paltalk
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                Tries to steal Mail credentials (via file registry)
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: ESMTPPassword18_2_004033F0
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword18_2_00402DB3
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword18_2_00402DB3
                Yara detected WebBrowserPassView password recovery tool
                Source: Yara matchFile source: Process Memory Space: wcNDx6MT9O.exe PID: 7868, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Detected Remcos RAT
                Source: C:\Users\user\Desktop\wcNDx6MT9O.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-KDW6BIJump to behavior
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-KDW6BI
                Yara detected Remcos RAT
                Source: Yara matchFile source: 10.2.udDHoOiYEFTRf.exe.43e08a0.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 26.2.udDHoOiYEFTRf.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 26.2.udDHoOiYEFTRf.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.wcNDx6MT9O.exe.4cd0ab0.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.wcNDx6MT9O.exe.4d496d0.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.udDHoOiYEFTRf.exe.43e08a0.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.udDHoOiYEFTRf.exe.4367c80.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.udDHoOiYEFTRf.exe.4367c80.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.wcNDx6MT9O.exe.4d496d0.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.wcNDx6MT9O.exe.4cd0ab0.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.3680200622.00000000029BE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3678364652.0000000000D43000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3677982562.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000002.1299117760.0000000000DDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000002.1298673963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1323365621.000000000424D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1269149311.0000000004C0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: wcNDx6MT9O.exe PID: 2856, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: wcNDx6MT9O.exe PID: 7376, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: udDHoOiYEFTRf.exe PID: 7504, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: udDHoOiYEFTRf.exe PID: 7172, type: MEMORYSTR
                Source: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exeCode function: cmd.exe26_2_0040569A

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                Native API                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		11
                Disable or Modify Tools                		2
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services11
                Archive Collected Data                		12
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts12
                Command and Scripting Interpreter                		1
                Windows Service                		1
                Bypass User Account Control                		1
                Deobfuscate/Decode Files or Information                		211
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		2
                Encrypted Channel                		Exfiltration Over Bluetooth1
                Defacement
                Email AddressesDNS ServerDomain Accounts1
                Scheduled Task/Job                		1
                Scheduled Task/Job                		1
                Access Token Manipulation                		4
                Obfuscated Files or Information                		2
                Credentials in Registry                		1
                System Service Discovery                		SMB/Windows Admin Shares1
                Email Collection                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal Accounts2
                Service Execution                		Login Hook1
                Windows Service                		12
                Software Packing                		3
                Credentials In Files                		3
                File and Directory Discovery                		Distributed Component Object Model211
                Input Capture                		1
                Remote Access Software                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script222
                Process Injection                		1
                DLL Side-Loading                		LSA Secrets38
                System Information Discovery                		SSH3
                Clipboard Data                		2
                Non-Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                Scheduled Task/Job                		1
                Bypass User Account Control                		Cached Domain Credentials131
                Security Software Discovery                		VNCGUI Input Capture12
                Application Layer Protocol                		Data Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Masquerading                		DCSync31
                Virtualization/Sandbox Evasion                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
                Virtualization/Sandbox Evasion                		Proc Filesystem4
                Process Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                Access Token Manipulation                		/etc/passwd and /etc/shadow1
                Application Window Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron222
                Process Injection                		Network Sniffing1
                System Owner/User Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1466894 Sample: wcNDx6MT9O.exe Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 56 geoplugin.net 2->56 70 Found malware configuration 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Antivirus / Scanner detection for submitted sample 2->74 76 12 other signatures 2->76 8 wcNDx6MT9O.exe 7 2->8         started        12 udDHoOiYEFTRf.exe 5 2->12         started        signatures3 process4 file5 46 C:\Users\user\AppData\...\udDHoOiYEFTRf.exe, PE32 8->46 dropped 48 C:\...\udDHoOiYEFTRf.exe:Zone.Identifier, ASCII 8->48 dropped 50 C:\Users\user\AppData\Local\...\tmp3326.tmp, XML 8->50 dropped 52 C:\Users\user\AppData\...\wcNDx6MT9O.exe.log, ASCII 8->52 dropped 78 Tries to steal Mail credentials (via file registry) 8->78 80 Uses schtasks.exe or at.exe to add and modify task schedules 8->80 82 Adds a directory exclusion to Windows Defender 8->82 84 Injects a PE file into a foreign processes 8->84 14 wcNDx6MT9O.exe 3 16 8->14         started        19 powershell.exe 22 8->19         started        21 powershell.exe 23 8->21         started        23 schtasks.exe 1 8->23         started        86 Antivirus detection for dropped file 12->86 88 Multi AV Scanner detection for dropped file 12->88 90 Contains functionality to bypass UAC (CMSTPLUA) 12->90 92 6 other signatures 12->92 25 udDHoOiYEFTRf.exe 12->25         started        27 schtasks.exe 12->27         started        signatures6 process7 dnsIp8 58 107.173.4.16, 2560, 49701, 49703 AS-COLOCROSSINGUS United States 14->58 60 geoplugin.net 178.237.33.50, 49704, 80 ATOM86-ASATOM86NL Netherlands 14->60 54 C:\ProgramData\remcos\logs.dat, data 14->54 dropped 62 Detected Remcos RAT 14->62 64 Maps a DLL or memory area into another process 14->64 66 Installs a global keyboard hook 14->66 29 wcNDx6MT9O.exe 14->29         started        32 wcNDx6MT9O.exe 14->32         started        34 wcNDx6MT9O.exe 14->34         started        68 Loading BitLocker PowerShell Module 19->68 36 conhost.exe 19->36         started        38 WmiPrvSE.exe 19->38         started        40 conhost.exe 21->40         started        42 conhost.exe 23->42         started        44 conhost.exe 27->44         started        file9 signatures10 process11 signatures12 94 Tries to steal Instant Messenger accounts or passwords 29->94 96 Tries to steal Mail credentials (via file / registry access) 29->96 98 Tries to harvest and steal browser information (history, passwords, etc) 32->98

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                wcNDx6MT9O.exe74%ReversingLabsByteCode-MSIL.Backdoor.Remcos
                wcNDx6MT9O.exe100%AviraTR/AD.Remcos.bczkh
                wcNDx6MT9O.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exe100%AviraTR/AD.Remcos.bczkh
                C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exe74%ReversingLabsByteCode-MSIL.Backdoor.Remcos

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://geoplugin.net/json.gp0%URL Reputationsafe
                http://geoplugin.net/json.gp/C0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                http://www.nirsoft.net/0%Avira URL Cloudsafe
                https://www.google.com0%Avira URL Cloudsafe
                http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
                http://www.imvu.comr0%Avira URL Cloudsafe
                http://www.imvu.com0%Avira URL Cloudsafe
                https://www.google.com/accounts/servicelogin0%Avira URL Cloudsafe
                https://login.yahoo.com/config/login0%Avira URL Cloudsafe
                http://www.nirsoft.net0%Avira URL Cloudsafe
                http://geoplugin.net/json.gpONTD~10%Avira URL Cloudsafe
                107.173.4.160%Avira URL Cloudsafe
                http://www.ebuddy.com0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                geoplugin.net
                		178.237.33.50
                		truefalse
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://geoplugin.net/json.gpfalse
                  • URL Reputation: safe
                  		unknown
                  107.173.4.16true
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://www.google.comwcNDx6MT9O.exe, wcNDx6MT9O.exe, 00000013.00000002.1275427104.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.imvu.comrwcNDx6MT9O.exe, 00000013.00000002.1275427104.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://geoplugin.net/json.gp/CwcNDx6MT9O.exe, 00000000.00000002.1269149311.0000000004C0A000.00000004.00000800.00020000.00000000.sdmp, udDHoOiYEFTRf.exe, 0000000A.00000002.1323365621.000000000424D000.00000004.00000800.00020000.00000000.sdmp, udDHoOiYEFTRf.exe, 0000001A.00000002.1298673963.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.imvu.comwcNDx6MT9O.exe, wcNDx6MT9O.exe, 00000013.00000002.1275427104.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.google.com/accounts/serviceloginwcNDx6MT9O.exefalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://login.yahoo.com/config/loginwcNDx6MT9O.exefalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.nirsoft.netwcNDx6MT9O.exe, 00000011.00000002.1288198307.0000000000EF3000.00000004.00000010.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.nirsoft.net/wcNDx6MT9O.exe, 00000013.00000002.1275427104.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://geoplugin.net/json.gpONTD~1wcNDx6MT9O.exe, 00000009.00000002.3677982562.0000000000D07000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namewcNDx6MT9O.exe, 00000000.00000002.1268365827.0000000003525000.00000004.00000800.00020000.00000000.sdmp, udDHoOiYEFTRf.exe, 0000000A.00000002.1320720545.0000000003041000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comwcNDx6MT9O.exe, 00000013.00000002.1275427104.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.ebuddy.comwcNDx6MT9O.exe, wcNDx6MT9O.exe, 00000013.00000002.1275427104.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  107.173.4.16
                  		unknownUnited States
                  		36352AS-COLOCROSSINGUStrue
                  178.237.33.50
                  		geoplugin.netNetherlands
                  		8455ATOM86-ASATOM86NLfalse

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1466894
                  Start date and time:2024-07-03 14:50:09 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 10m 45s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:34
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:wcNDx6MT9O.exe
                  renamed because original name is a hash value
                  Original Sample Name:a2d59c9b9dfe1048afea948f5063f485765b429254fc018d6eefdc4be192106e.exe
                  Detection:MAL
                  Classification:mal100.rans.phis.troj.spyw.expl.evad.winEXE@25/19@1/2
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 98%
                  • Number of executed functions: 214
                  • Number of non-executed functions: 290
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, 6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size exceeded maximum capacity and may have missing disassembly code.
                  • Report size getting too big, too many NtCreateKey calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                  • VT rate limit hit for: wcNDx6MT9O.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  08:51:00API Interceptor7372697x Sleep call for process: wcNDx6MT9O.exe modified
                  08:51:02API Interceptor32x Sleep call for process: powershell.exe modified
                  08:51:04API Interceptor1x Sleep call for process: udDHoOiYEFTRf.exe modified
                  14:51:02Task SchedulerRun new task: udDHoOiYEFTRf path: C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exe

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  107.173.4.161Ccw7uyuFv.exeGet hashmaliciousRemcosBrowse
                    RFQ_83747384738757384754837483.xlsGet hashmaliciousRemcos, PrivateLoaderBrowse
                      Soxj8psIXH.exeGet hashmaliciousRemcos, PrivateLoader, PureLog StealerBrowse
                        N7rv2A6qGR.rtfGet hashmaliciousRemcos, PrivateLoaderBrowse
                          51hk2L6Kgw.exeGet hashmaliciousRemcos, PrivateLoaderBrowse
                            RFQ_39573837483837438744.xlsGet hashmaliciousRemcos, PrivateLoaderBrowse
                              Inquiry_list_88364836383764834.xlsGet hashmaliciousRemcosBrowse
                                a0uagTpHuq.exeGet hashmaliciousRemcosBrowse
                                  WFRlr0p5IH.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                    178.237.33.50cnaniAxghZ.exeGet hashmaliciousRemcosBrowse
                                    • geoplugin.net/json.gp
                                    xBkOubR0eL.exeGet hashmaliciousRemcosBrowse
                                    • geoplugin.net/json.gp
                                    PO#2195112.vbsGet hashmaliciousRemcosBrowse
                                    • geoplugin.net/json.gp
                                    TT_Payment_Slip.bat.exeGet hashmaliciousRemcosBrowse
                                    • geoplugin.net/json.gp
                                    SOA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                    • geoplugin.net/json.gp
                                    PAYMENT COPY.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                    • geoplugin.net/json.gp
                                    STATEMENT OF ACCOUNT.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                    • geoplugin.net/json.gp
                                    Requirement reference for quotation.exeGet hashmaliciousRemcosBrowse
                                    • geoplugin.net/json.gp
                                    STATEMENT OF ACCOUNT.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                    • geoplugin.net/json.gp
                                    710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                    • geoplugin.net/json.gp

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    geoplugin.netcnaniAxghZ.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    xBkOubR0eL.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    PO#2195112.vbsGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    TT_Payment_Slip.bat.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    SOA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 178.237.33.50
                                    PAYMENT COPY.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 178.237.33.50
                                    STATEMENT OF ACCOUNT.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 178.237.33.50
                                    Requirement reference for quotation.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    STATEMENT OF ACCOUNT.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 178.237.33.50
                                    710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                    • 178.237.33.50

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    ATOM86-ASATOM86NLcnaniAxghZ.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    xBkOubR0eL.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    PO#2195112.vbsGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    TT_Payment_Slip.bat.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    SOA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 178.237.33.50
                                    PAYMENT COPY.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 178.237.33.50
                                    STATEMENT OF ACCOUNT.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 178.237.33.50
                                    Requirement reference for quotation.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    STATEMENT OF ACCOUNT.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 178.237.33.50
                                    710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                    • 178.237.33.50
                                    AS-COLOCROSSINGUScnaniAxghZ.exeGet hashmaliciousRemcosBrowse
                                    • 107.175.229.139
                                    execute_and_cleanup.shGet hashmaliciousUnknownBrowse
                                    • 108.174.58.28
                                    4YlwTsmpuZ.rtfGet hashmaliciousUnknownBrowse
                                    • 23.95.235.16
                                    Payment_Advice.xlsGet hashmaliciousUnknownBrowse
                                    • 192.3.179.150
                                    DHL_AWB 98776013276.xlsGet hashmaliciousFormBookBrowse
                                    • 23.95.235.16
                                    Scan-Payment-Advice.xlsGet hashmaliciousLokibotBrowse
                                    • 198.46.178.137
                                    orden de compra.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                    • 192.3.243.156
                                    ORDER-7019-2024.jsGet hashmaliciousAgentTeslaBrowse
                                    • 192.210.215.11
                                    PO-24701248890.jsGet hashmaliciousWSHRatBrowse
                                    • 192.210.215.11
                                    FedEx Receipt_53065724643.xlsGet hashmaliciousFormBookBrowse
                                    • 23.95.235.16

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\ProgramData\remcos\logs.dat

                                    Download File
                                    Process:C:\Users\user\Desktop\wcNDx6MT9O.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):344
                                    Entropy (8bit):7.382047068708701
                                    Encrypted:false
                                    SSDEEP:6:8bOOaNQea/FJ6tuVUS6zHOMQwJFj5znL9RUmERIFtBoc8At7J2LXXpd:8iFNQe6FctuVUpOyjJL93/oc8At8X5d
                                    MD5:08703DC6750E70BFC85D72D686F9417E
                                    SHA1:1119468C576E448D2086785A8FAE5B4B1F9AD0BE
                                    SHA-256:39B0ED61935A85FD2D2BAE5B07AF7FF1105DC4DA701B8779FCDAC9CEB69BC9A9
                                    SHA-512:59F8D9C8AA9A65BE5CEC64E7452BB639ACAD6A54AD07384493ED3F8EFE207FBB42B72CE3DDEC990267CB24E334C1BE810E232666267E2A35702FAD8C424367F3
                                    Malicious:true
                                    Reputation:low
                                    Preview:...qm.'..... a.e.B~....`...\.d$YCF..#.W*c....>......S.U.m.bs.{4&.j!.Kh.0.?...'..@.G..0.'...682..(.BDN._.....x..B.p....#B..s5C*.J.?e.P..nT....Pmp..'..3U.C.........2.x......<....C... .{A.Pg.....DT.@..ET.YB{N{v...t.c.....,Pf.%.8.....lz.S.~..K.....z..W4..o..R.M.Lix.$..Tva1...).{<.vL...c..S".I.... ."...#..5.....k..D.q.*.cf..C..Y..[.

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\udDHoOiYEFTRf.exe.log

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1216
                                    Entropy (8bit):5.34331486778365
                                    Encrypted:false
                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                    Malicious:false
                                    Reputation:high, very likely benign file
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wcNDx6MT9O.exe.log

                                    Download File
                                    Process:C:\Users\user\Desktop\wcNDx6MT9O.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1216
                                    Entropy (8bit):5.34331486778365
                                    Encrypted:false
                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                    Malicious:true
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\json[1].json

                                    Download File
                                    Process:C:\Users\user\Desktop\wcNDx6MT9O.exe
                                    File Type:JSON data
                                    Category:dropped
                                    Size (bytes):962
                                    Entropy (8bit):5.013130376969173
                                    Encrypted:false
                                    SSDEEP:12:tklu+mnd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qlu+KdVauKyGX85jvXhNlT3/7AcV9Wro
                                    MD5:F61E5CC20FBBA892FF93BFBFC9F41061
                                    SHA1:36CD25DFAD6D9BC98697518D8C2F5B7E12A5864E
                                    SHA-256:28B330BB74B512AFBD70418465EC04C52450513D3CC8609B08B293DBEC847568
                                    SHA-512:5B6AD2F42A82AC91491C594714638B1EDCA26D60A9932C96CBA229176E95CA3FD2079B68449F62CBFFFFCA5DA6F4E25B7B49AF8A8696C95A4F11C54BCF451933
                                    Malicious:false
                                    Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:modified
                                    Size (bytes):2232
                                    Entropy (8bit):5.380046556058007
                                    Encrypted:false
                                    SSDEEP:48:tWSU4xympx4RfoUP7gZ9tK8NPZHUx7u1iMuge//Z8vUyus:tLHxv/IwLZ2KRH6Ouggs
                                    MD5:5E4B1897C705CB459423F8E36ABBD0B0
                                    SHA1:530A8FA56CF9F96607CA4591893B10DF9C0590FA
                                    SHA-256:72AB3481733CE01E4F3F5060E3DF1F88750554D84C597CF3DFE72AC5AFD24F28
                                    SHA-512:F69BEDE13A21059D2D1A55D3A7A6524AD585F832F0F652D69B117548B6393BADCED54BEB2DBAA762CE138B3357B1F26E540D21E56C4F9EF4FA7F34587A24D0F0
                                    Malicious:false
                                    Preview:@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1csiev3j.rox.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3fhiftfq.e0t.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d5qkygiv.1ql.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n3y45qmj.24o.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nh4wtppz.5m4.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pppm342z.1vy.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rtqffylr.zrk.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_spo1y5fs.kzr.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\aavmzypeykbx

                                    Download File
                                    Process:C:\Users\user\Desktop\wcNDx6MT9O.exe
                                    File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                    Category:modified
                                    Size (bytes):2
                                    Entropy (8bit):1.0
                                    Encrypted:false
                                    SSDEEP:3:Qn:Qn
                                    MD5:F3B25701FE362EC84616A93A45CE9998
                                    SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                    SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                    SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                    Malicious:false
                                    Preview:..

                                    C:\Users\user\AppData\Local\Temp\bhv1B39.tmp

                                    Download File
                                    Process:C:\Users\user\Desktop\wcNDx6MT9O.exe
                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0x9f59b020, page size 32768, DirtyShutdown, Windows version 10.0
                                    Category:dropped
                                    Size (bytes):15728640
                                    Entropy (8bit):0.10103965264833503
                                    Encrypted:false
                                    SSDEEP:1536:GSB2jpSB2jFSjlK/4w/ZweshzbOlqVquesezbgl4KCIeszO/Zk3EufY:Ga6amUueqtDiu6b
                                    MD5:05ED31CC5A8F6E5591DCBD13F044B588
                                    SHA1:E224223FD7D82169BE2B50FA9C5AA514F6EBBC34
                                    SHA-256:53CEC4FD5E5126208BA267073853ACD92BF70203157D20DCA7151B98882A914D
                                    SHA-512:1F82B82F706EE8ECFA1860E1F81334FAE5D95951B8731A9DE01166DE3925F7363580C78774E405842054E359E8631A9BF1FAC2A8BF22E3F8DCE523D3A0008C5F
                                    Malicious:false
                                    Preview:.Y. ... ...................':...{........................N......4...{_..5...{..h.P.........................-.1.':...{..........................................................................................................eJ......n........................................................................................................... .......':...{..............................................................................................................................................................................................,....{......................................5...{..................."...5...{C..........................#......h.P.....................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\tmp3326.tmp

                                    Download File
                                    Process:C:\Users\user\Desktop\wcNDx6MT9O.exe
                                    File Type:XML 1.0 document, ASCII text
                                    Category:dropped
                                    Size (bytes):1607
                                    Entropy (8bit):5.124234071711199
                                    Encrypted:false
                                    SSDEEP:24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtFLxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTF1v
                                    MD5:F5292E2656E71F2C8C879CB4BFD0DF32
                                    SHA1:7B56667D585F2E1809E5F206FDFB67757D959ED3
                                    SHA-256:6BB04EF99FC5063F9692E0197029876E8C50D3F847B8D02C688FAF6495762905
                                    SHA-512:6C4D953BBCCFB8272219875C29D5C36149971BC7F0B73DC9B6FFDFE2746002455C999A514AF6E5B5D25DF4EBAE53A34B8D80E0018356D40F8592F32557139C17
                                    Malicious:true
                                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

                                    C:\Users\user\AppData\Local\Temp\tmp496D.tmp

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exe
                                    File Type:XML 1.0 document, ASCII text
                                    Category:dropped
                                    Size (bytes):1607
                                    Entropy (8bit):5.124234071711199
                                    Encrypted:false
                                    SSDEEP:24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtFLxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTF1v
                                    MD5:F5292E2656E71F2C8C879CB4BFD0DF32
                                    SHA1:7B56667D585F2E1809E5F206FDFB67757D959ED3
                                    SHA-256:6BB04EF99FC5063F9692E0197029876E8C50D3F847B8D02C688FAF6495762905
                                    SHA-512:6C4D953BBCCFB8272219875C29D5C36149971BC7F0B73DC9B6FFDFE2746002455C999A514AF6E5B5D25DF4EBAE53A34B8D80E0018356D40F8592F32557139C17
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

                                    C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\wcNDx6MT9O.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):1042432
                                    Entropy (8bit):7.878971829794964
                                    Encrypted:false
                                    SSDEEP:24576:ypp36n2RoIbt/FN6k6B00YyAWfv0RYk8:yppKUt9YVLSS0R
                                    MD5:3DEAB4A2B72656BB263E29EE4AB44983
                                    SHA1:87B64BAAB0C3B8BF7F718937DEBF02102A4649A9
                                    SHA-256:A2D59C9B9DFE1048AFEA948F5063F485765B429254FC018D6EEFDC4BE192106E
                                    SHA-512:A16319BB8148807AB6A3C42E53897AC03E73CECEC7927063740E428C9B71CC85A2DC474FD5ECBF28C66B1867643FD0EF73BF753768EF36C1EE686BDA4468745F
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 74%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....|Ef..............0.................. ........@.. .......................@............@.................................p...O............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exe:Zone.Identifier

                                    Download File
                                    Process:C:\Users\user\Desktop\wcNDx6MT9O.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):26
                                    Entropy (8bit):3.95006375643621
                                    Encrypted:false
                                    SSDEEP:3:ggPYV:rPYV
                                    MD5:187F488E27DB4AF347237FE461A079AD
                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                    Malicious:true
                                    Preview:[ZoneTransfer]....ZoneId=0

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Entropy (8bit):7.878971829794964
                                    TrID:
                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                    • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                    File name:wcNDx6MT9O.exe
                                    File size:1'042'432 bytes
                                    MD5:3deab4a2b72656bb263e29ee4ab44983
                                    SHA1:87b64baab0c3b8bf7f718937debf02102a4649a9
                                    SHA256:a2d59c9b9dfe1048afea948f5063f485765b429254fc018d6eefdc4be192106e
                                    SHA512:a16319bb8148807ab6a3c42e53897ac03e73cecec7927063740e428c9b71cc85a2dc474fd5ecbf28c66b1867643fd0ef73bf753768ef36c1ee686bda4468745f
                                    SSDEEP:24576:ypp36n2RoIbt/FN6k6B00YyAWfv0RYk8:yppKUt9YVLSS0R
                                    TLSH:43252340F3A9D8F9DD9E47B148AEA8100772394E90B5970E24EA7B5AD97374314E3B0F
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....|Ef..............0.................. ........@.. .......................@............@................................

                                    File Icon

                                    Icon Hash:6be6a4acc5ce5a6b

                                    Static PE Info

                                    General

                                    Entrypoint:0x4eecc2
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x66457CD7 [Thu May 16 03:26:15 2024 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                    Entrypoint Preview

                                    Instruction
                                    jmp dword ptr [00402000h]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xeec700x4f.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xf00000x10f00.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1020000xc.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x20000xeccc80xed0003070fac24c13c6ff129bea98448bd6b8False0.9707072455168776data7.979597620755101IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rsrc0xf00000x10f000x110001a01db5a3ffa35e2b823c061ca556f8aFalse0.20638499540441177data4.267279737139069IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0x1020000xc0x40076656afd647d5fe1b7857d2231f27994False0.025390625data0.05585530805374581IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_ICON0xf01600x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.1999585945818053
                                    RT_GROUP_ICON0x1009880x14data1.0
                                    RT_GROUP_ICON0x10099c0x14data1.05
                                    RT_VERSION0x1009b00x364data0.4205069124423963
                                    RT_MANIFEST0x100d140x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                    Imports

                                    DLLImport
                                    mscoree.dll_CorExeMain

                                    Network Behavior

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jul 3, 2024 14:51:03.500993967 CEST497012560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:03.506985903 CEST256049701107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:03.507064104 CEST497012560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:03.513489008 CEST497012560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:03.518439054 CEST256049701107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:04.014167070 CEST256049701107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:04.056735039 CEST497012560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:04.153351068 CEST256049701107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:04.158098936 CEST497012560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:04.162976027 CEST256049701107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:04.163156986 CEST497012560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:04.168790102 CEST256049701107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:04.586678982 CEST256049701107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:04.592364073 CEST497012560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:04.597265005 CEST256049701107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:04.689853907 CEST256049701107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:04.701689959 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:04.706832886 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:04.706955910 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:04.710619926 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:04.715615034 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:04.742296934 CEST497012560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.191850901 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.323085070 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.323173046 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.327224970 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.332123041 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.332181931 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.337011099 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.490263939 CEST4970480192.168.2.7178.237.33.50
                                    Jul 3, 2024 14:51:05.495366096 CEST8049704178.237.33.50192.168.2.7
                                    Jul 3, 2024 14:51:05.495512962 CEST4970480192.168.2.7178.237.33.50
                                    Jul 3, 2024 14:51:05.495671988 CEST4970480192.168.2.7178.237.33.50
                                    Jul 3, 2024 14:51:05.500538111 CEST8049704178.237.33.50192.168.2.7
                                    Jul 3, 2024 14:51:05.501727104 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.501769066 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.501821995 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.501828909 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.501908064 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.501919031 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.501933098 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.501964092 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.501990080 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.502054930 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.502067089 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.502078056 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.502115965 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.502770901 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.502825975 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.502899885 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.502919912 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.503001928 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.507038116 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.507086039 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.507124901 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.589238882 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.589278936 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.589292049 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.589329958 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.589340925 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.589354038 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.589366913 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.589382887 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.589405060 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.589848042 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.589914083 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.589926004 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.589951038 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.590038061 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.590050936 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.590075970 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.590806961 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.590820074 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.590831995 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.590843916 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.590857029 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.590859890 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.590869904 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.590893984 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.590909004 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.591506958 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.591550112 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.591562986 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.591577053 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.591681957 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.591701984 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.591715097 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.591723919 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.591752052 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.592430115 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.592469931 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.592503071 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.592514992 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.592556953 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.677429914 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.677472115 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.677486897 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.677515984 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.677707911 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.677721024 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.677732944 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.677751064 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.677752972 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.677767038 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.677778006 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.677778959 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.677791119 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.677803993 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.677803993 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.677817106 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.677829981 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.677836895 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.677844048 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.677876949 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.677886963 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.678425074 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.678436995 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.678450108 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.678462029 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.678468943 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.678482056 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.678971052 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.678985119 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.678998947 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.679009914 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.679025888 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.679060936 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.679207087 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.679220915 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.679233074 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.679244041 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.679255962 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.679260969 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.679291010 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.679620981 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.679636002 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.679650068 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.679688931 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.679713011 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.679754019 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.679768085 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.679780960 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.679792881 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.679807901 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.679836035 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.680259943 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.680491924 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.680504084 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.680517912 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.680552006 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.680574894 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.680628061 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.680645943 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.680665970 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.680702925 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.680782080 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.680797100 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.680840015 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.681618929 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.681638956 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.681651115 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.681663036 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.681672096 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.681675911 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.681703091 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.681720972 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.764693975 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.764724016 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.764735937 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.764781952 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.764844894 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.764858007 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.764870882 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.764883041 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.764884949 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.764913082 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.765069008 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.765083075 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.765124083 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.765189886 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.765239954 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.765250921 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.765281916 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.765281916 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.765305996 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.765345097 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.765356064 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.765386105 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.765464067 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.765476942 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.765511036 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.765635967 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.765647888 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.765660048 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.765671968 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.765678883 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.765683889 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.765696049 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.765721083 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.766052008 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.766066074 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.766108036 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.766217947 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.766228914 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.766242027 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.766266108 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.766341925 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.766354084 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.766366959 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.766393900 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.766417027 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.766556978 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.766617060 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.766629934 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.766654968 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.766740084 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.766752005 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.766763926 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.766776085 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.766788960 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.766801119 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.766969919 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.766983032 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.766997099 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.767008066 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.767011881 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.767020941 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.767038107 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.767064095 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.767468929 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.767482996 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.767498970 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.767528057 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.767585039 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.767596006 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.767607927 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.767620087 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.767621994 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.767649889 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.767831087 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.767848015 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.767860889 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.767873049 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.767884970 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.767889023 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.767914057 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.767926931 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.768014908 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.768321991 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.768354893 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.768367052 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.768367052 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.768410921 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.768729925 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.768742085 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.768752098 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.768764019 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.768785954 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.768805027 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.768809080 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.768821955 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.768862009 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.768984079 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.768996954 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.769010067 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.769021988 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.769052029 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.769077063 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.769234896 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.769295931 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.769308090 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.769359112 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.769438028 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.769450903 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.769463062 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.769474983 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.769489050 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.769505024 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.769678116 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.769690990 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.769701958 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.769714117 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.769720078 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.769725084 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.769737005 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.769740105 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.769763947 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.770261049 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.770272017 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.770313025 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.770313025 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.851644039 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.852782965 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.852808952 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.852819920 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.852826118 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.852839947 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.852847099 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.852858067 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.852869034 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.852880001 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.852890968 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.852914095 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.852940083 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.853087902 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.853099108 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.853111029 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.853127003 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.853137970 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.853138924 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.853148937 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.853163004 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.853240013 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.853328943 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.853341103 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.853384018 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.853385925 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.853395939 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.853406906 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.853419065 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.853449106 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.853704929 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.853707075 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.853717089 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.853729963 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.853743076 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.853754997 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.853758097 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.853944063 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.853955030 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.853965044 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.853970051 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.853976965 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.853988886 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.853991985 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.854015112 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.854101896 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.854185104 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.854197025 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.854331017 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.854342937 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.854356050 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.854357958 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.854500055 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.854512930 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.854528904 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.854686022 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.854692936 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.854698896 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.854711056 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.854763985 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.854763985 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.855036020 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.855047941 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.855058908 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.855070114 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.855089903 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.855097055 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.855101109 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.855115891 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.855119944 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.855176926 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.855190039 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.855195999 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.855207920 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.855212927 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.855235100 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.855298042 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.855670929 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.855690956 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.855703115 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.855715036 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.855717897 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.855726004 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.855736971 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.855748892 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.855756044 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.855762005 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.855768919 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.855775118 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.855786085 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.855796099 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.855797052 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.855822086 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.855906010 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.860229969 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.860244989 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.860256910 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.860268116 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.860280991 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.860291958 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.860304117 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.860304117 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.860332966 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.860757113 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.860776901 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.860789061 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.860800028 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.860810995 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.860821962 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.860833883 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.860835075 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.860845089 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.860857010 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.860861063 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.860882044 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.860903978 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.860959053 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.860970020 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.860981941 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.860991955 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.861026049 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.861109972 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.861121893 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.861133099 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.861139059 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.861145020 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.861155987 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.861160994 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.861167908 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.861180067 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.861183882 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.861191988 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.861202955 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.861208916 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.861213923 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.861234903 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.861323118 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.861443043 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.861462116 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.861474037 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.861488104 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.861500025 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.861510992 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.861515045 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.861524105 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.861535072 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.861540079 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.861546040 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.861557961 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.861558914 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.861568928 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.861582041 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.861586094 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.861608028 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.861650944 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.939903975 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.939934969 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.939946890 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.939968109 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.940042973 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.940054893 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.940056086 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.940135002 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.940146923 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.940165997 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.940186024 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.940197945 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.940212965 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.940290928 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.940373898 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.940387011 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.940399885 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.940466881 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.940476894 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.940478086 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.940496922 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.940525055 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.940646887 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.940676928 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.940689087 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.940743923 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.940756083 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.940773010 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.940879107 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.940896034 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.940907001 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.940917969 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.940931082 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.940942049 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.940967083 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.941098928 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.941124916 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.941158056 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.941168070 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.941179037 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.941183090 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.941190004 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.941217899 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.941262007 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.941375971 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.941386938 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.941399097 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.941410065 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.941421032 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.941450119 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.941450119 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.941648006 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.941659927 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.941670895 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.941682100 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.941694021 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.941695929 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.941719055 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.941798925 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.941890955 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.941903114 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.941992998 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.942011118 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.942028999 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.942040920 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.942051888 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.942063093 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.942074060 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.942085028 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.942090988 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.942097902 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.942110062 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.942112923 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.942121983 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.942200899 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.942523956 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.942536116 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.942548990 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.942569971 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.942631960 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.945168972 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.945200920 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.945213079 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.945254087 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.945281029 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.945297003 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.945324898 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.945352077 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.945363998 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.945374966 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.945514917 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.945528030 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.945538998 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.945542097 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.945550919 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.945576906 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.945781946 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.946484089 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.946496964 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.946508884 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.946520090 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.946531057 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.946544886 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.946557045 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.946705103 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.946716070 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.946734905 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.946744919 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.946757078 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.946760893 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.946768999 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.946784019 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.946837902 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.946842909 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.946850061 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.946924925 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.946954966 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.946966887 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.946978092 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.947000980 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.947056055 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.947129965 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.947146893 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.947158098 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.947170019 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.947185993 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.947192907 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.947197914 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.947208881 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.947213888 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.947221994 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.947238922 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.947360992 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.947391987 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.947402954 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.947451115 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.947463036 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.947474957 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.947485924 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.947496891 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.947534084 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.947534084 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.947689056 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.947700024 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.947710991 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.947721958 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.947746038 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.947833061 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.947845936 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.947856903 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.947861910 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.947881937 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.947916031 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.947926998 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.947942972 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.947953939 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.947964907 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.947977066 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.947989941 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.948237896 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.948250055 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.948261023 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.948261023 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.948273897 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:05.948287010 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.948301077 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:05.949697018 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:06.027580023 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:06.027609110 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:06.027618885 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:06.027626038 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:06.027636051 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:06.027647018 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:06.027653933 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:06.027679920 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:06.027764082 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:06.027775049 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:06.027786016 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:06.027793884 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:06.027797937 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:06.027822971 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:06.027822971 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:06.027915001 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:06.028023958 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:06.028034925 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:06.028047085 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:06.028053045 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:06.028058052 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:06.028069019 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:06.028074980 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:06.028080940 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:06.028091908 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:06.028105021 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:06.028121948 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:06.028465986 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:06.028477907 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:06.028554916 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:06.028567076 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:06.028578043 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:06.028589964 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:06.028599977 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:06.028601885 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:06.028628111 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:06.028774977 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:06.028785944 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:06.028795958 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:06.028805017 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:06.028805971 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:06.028816938 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:06.028826952 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:06.028830051 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:06.028839111 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:06.028848886 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:06.028851032 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:06.028863907 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:06.030476093 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:06.121915102 CEST8049704178.237.33.50192.168.2.7
                                    Jul 3, 2024 14:51:06.121995926 CEST4970480192.168.2.7178.237.33.50
                                    Jul 3, 2024 14:51:06.212717056 CEST497012560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:06.218818903 CEST256049701107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:07.120637894 CEST8049704178.237.33.50192.168.2.7
                                    Jul 3, 2024 14:51:07.122250080 CEST4970480192.168.2.7178.237.33.50
                                    Jul 3, 2024 14:51:08.023053885 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:08.030395031 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:08.030411005 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:08.030421019 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:08.030431032 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:08.030452967 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:08.030458927 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:08.030459881 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:08.030462027 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:08.030463934 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:08.030468941 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:08.030572891 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:08.035454988 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:08.035526037 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:08.035536051 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:08.035677910 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:08.035686970 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:08.035717010 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:08.036037922 CEST256049703107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:08.036355019 CEST497032560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:18.538194895 CEST256049701107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:18.540288925 CEST497012560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:18.549643040 CEST256049701107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:48.583473921 CEST256049701107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:51:48.584609985 CEST497012560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:51:48.591475964 CEST256049701107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:52:18.630795956 CEST256049701107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:52:18.635519028 CEST497012560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:52:18.640491009 CEST256049701107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:52:48.661976099 CEST256049701107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:52:48.663418055 CEST497012560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:52:48.668368101 CEST256049701107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:52:55.461695910 CEST4970480192.168.2.7178.237.33.50
                                    Jul 3, 2024 14:52:55.818772078 CEST4970480192.168.2.7178.237.33.50
                                    Jul 3, 2024 14:52:56.492799044 CEST4970480192.168.2.7178.237.33.50
                                    Jul 3, 2024 14:52:57.695899010 CEST4970480192.168.2.7178.237.33.50
                                    Jul 3, 2024 14:53:00.195943117 CEST4970480192.168.2.7178.237.33.50
                                    Jul 3, 2024 14:53:05.195954084 CEST4970480192.168.2.7178.237.33.50
                                    Jul 3, 2024 14:53:14.829339027 CEST4970480192.168.2.7178.237.33.50
                                    Jul 3, 2024 14:53:18.678252935 CEST256049701107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:53:18.680174112 CEST497012560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:53:18.685122013 CEST256049701107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:53:48.682077885 CEST256049701107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:53:48.683325052 CEST497012560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:53:48.688241959 CEST256049701107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:54:18.689014912 CEST256049701107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:54:18.690222979 CEST497012560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:54:18.695316076 CEST256049701107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:54:48.706459999 CEST256049701107.173.4.16192.168.2.7
                                    Jul 3, 2024 14:54:48.707873106 CEST497012560192.168.2.7107.173.4.16
                                    Jul 3, 2024 14:54:48.712824106 CEST256049701107.173.4.16192.168.2.7

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jul 3, 2024 14:51:05.474677086 CEST5198553192.168.2.71.1.1.1
                                    Jul 3, 2024 14:51:05.483591080 CEST53519851.1.1.1192.168.2.7
                                    Jul 3, 2024 14:51:47.031055927 CEST5355928162.159.36.2192.168.2.7
                                    Jul 3, 2024 14:51:47.521588087 CEST53615981.1.1.1192.168.2.7

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Jul 3, 2024 14:51:05.474677086 CEST192.168.2.71.1.1.10x873cStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Jul 3, 2024 14:51:05.483591080 CEST1.1.1.1192.168.2.70x873cNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • geoplugin.net

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.749704178.237.33.50807376C:\Users\user\Desktop\wcNDx6MT9O.exe
                                    TimestampBytes transferredDirectionData
                                    Jul 3, 2024 14:51:05.495671988 CEST71OUTGET /json.gp HTTP/1.1
                                    Host: geoplugin.net
                                    Cache-Control: no-cache
                                    Jul 3, 2024 14:51:06.121915102 CEST1170INHTTP/1.1 200 OK
                                    date: Wed, 03 Jul 2024 12:51:06 GMT
                                    server: Apache
                                    content-length: 962
                                    content-type: application/json; charset=utf-8
                                    cache-control: public, max-age=300
                                    access-control-allow-origin: *
                                    Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                                    Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:08:51:00
                                    Start date:03/07/2024
                                    Path:C:\Users\user\Desktop\wcNDx6MT9O.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\wcNDx6MT9O.exe"
                                    Imagebase:0xdf0000
                                    File size:1'042'432 bytes
                                    MD5 hash:3DEAB4A2B72656BB263E29EE4AB44983
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1269149311.0000000004C0A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1269149311.0000000004C0A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1269149311.0000000004C0A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:3
                                    Start time:08:51:01
                                    Start date:03/07/2024
                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\wcNDx6MT9O.exe"
                                    Imagebase:0x990000
                                    File size:433'152 bytes
                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:4
                                    Start time:08:51:01
                                    Start date:03/07/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff75da10000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:5
                                    Start time:08:51:01
                                    Start date:03/07/2024
                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exe"
                                    Imagebase:0x990000
                                    File size:433'152 bytes
                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:6
                                    Start time:08:51:01
                                    Start date:03/07/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff75da10000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:7
                                    Start time:08:51:01
                                    Start date:03/07/2024
                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\udDHoOiYEFTRf" /XML "C:\Users\user\AppData\Local\Temp\tmp3326.tmp"
                                    Imagebase:0xdf0000
                                    File size:187'904 bytes
                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:8
                                    Start time:08:51:01
                                    Start date:03/07/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff75da10000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:9
                                    Start time:08:51:02
                                    Start date:03/07/2024
                                    Path:C:\Users\user\Desktop\wcNDx6MT9O.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\wcNDx6MT9O.exe"
                                    Imagebase:0x6b0000
                                    File size:1'042'432 bytes
                                    MD5 hash:3DEAB4A2B72656BB263E29EE4AB44983
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.3680200622.00000000029BE000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.3678364652.0000000000D43000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.3677982562.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:false

                                    General

                                    Target ID:10
                                    Start time:08:51:02
                                    Start date:03/07/2024
                                    Path:C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exe
                                    Imagebase:0xb90000
                                    File size:1'042'432 bytes
                                    MD5 hash:3DEAB4A2B72656BB263E29EE4AB44983
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.1323365621.000000000424D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000A.00000002.1323365621.000000000424D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000A.00000002.1323365621.000000000424D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    Antivirus matches:
                                    • Detection: 100%, Avira
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 74%, ReversingLabs
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:12
                                    Start time:08:51:04
                                    Start date:03/07/2024
                                    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                    Imagebase:0x7ff7fb730000
                                    File size:496'640 bytes
                                    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                    Has elevated privileges:true
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:17
                                    Start time:08:51:04
                                    Start date:03/07/2024
                                    Path:C:\Users\user\Desktop\wcNDx6MT9O.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Users\user\Desktop\wcNDx6MT9O.exe /stext "C:\Users\user\AppData\Local\Temp\aavmzypeykbx"
                                    Imagebase:0xa10000
                                    File size:1'042'432 bytes
                                    MD5 hash:3DEAB4A2B72656BB263E29EE4AB44983
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:18
                                    Start time:08:51:05
                                    Start date:03/07/2024
                                    Path:C:\Users\user\Desktop\wcNDx6MT9O.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Users\user\Desktop\wcNDx6MT9O.exe /stext "C:\Users\user\AppData\Local\Temp\kciwarigmttcboj"
                                    Imagebase:0x4a0000
                                    File size:1'042'432 bytes
                                    MD5 hash:3DEAB4A2B72656BB263E29EE4AB44983
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:19
                                    Start time:08:51:05
                                    Start date:03/07/2024
                                    Path:C:\Users\user\Desktop\wcNDx6MT9O.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Users\user\Desktop\wcNDx6MT9O.exe /stext "C:\Users\user\AppData\Local\Temp\uwopajtzablhlufojfu"
                                    Imagebase:0xfc0000
                                    File size:1'042'432 bytes
                                    MD5 hash:3DEAB4A2B72656BB263E29EE4AB44983
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:24
                                    Start time:08:51:07
                                    Start date:03/07/2024
                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\udDHoOiYEFTRf" /XML "C:\Users\user\AppData\Local\Temp\tmp496D.tmp"
                                    Imagebase:0xdf0000
                                    File size:187'904 bytes
                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:25
                                    Start time:08:51:07
                                    Start date:03/07/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff75da10000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:26
                                    Start time:08:51:07
                                    Start date:03/07/2024
                                    Path:C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\AppData\Roaming\udDHoOiYEFTRf.exe"
                                    Imagebase:0x860000
                                    File size:1'042'432 bytes
                                    MD5 hash:3DEAB4A2B72656BB263E29EE4AB44983
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001A.00000002.1299117760.0000000000DDA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001A.00000002.1298673963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001A.00000002.1298673963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000001A.00000002.1298673963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001A.00000002.1298673963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000001A.00000002.1298673963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                    Reputation:low
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:13.3%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:2.7%
                                      Total number of Nodes:370
                                      Total number of Limit Nodes:15
                                      execution_graph 43313 5797198 43314 5797199 43313->43314 43325 5796bb4 43314->43325 43318 5797266 43319 5796f78 5 API calls 43318->43319 43320 57972fc 43319->43320 43321 5796bb4 5 API calls 43320->43321 43322 5797392 43321->43322 43323 5796f78 5 API calls 43322->43323 43324 5797523 43323->43324 43326 5796bbf 43325->43326 43334 57970d8 43326->43334 43328 5797234 43329 5796f78 43328->43329 43330 5796f83 43329->43330 43331 57991ea 43330->43331 43332 31e8308 5 API calls 43330->43332 43333 31e5cc4 5 API calls 43330->43333 43331->43318 43332->43331 43333->43331 43335 57970e3 43334->43335 43339 31e8308 43335->43339 43346 31e5cc4 43335->43346 43336 5798eec 43336->43328 43340 31e8318 43339->43340 43342 31e85cb 43340->43342 43353 31eac78 43340->43353 43341 31e8609 43341->43336 43342->43341 43357 31ecd78 43342->43357 43362 31ecd69 43342->43362 43347 31e5ccf 43346->43347 43349 31e85cb 43347->43349 43350 31eac78 3 API calls 43347->43350 43348 31e8609 43348->43336 43349->43348 43351 31ecd78 5 API calls 43349->43351 43352 31ecd69 5 API calls 43349->43352 43350->43349 43351->43348 43352->43348 43367 31eacb0 43353->43367 43371 31eaca0 43353->43371 43354 31eac8e 43354->43342 43358 31ecd99 43357->43358 43359 31ecdbd 43358->43359 43404 31ecf18 43358->43404 43408 31ecf28 43358->43408 43359->43341 43364 31ecd78 43362->43364 43363 31ecdbd 43363->43341 43364->43363 43365 31ecf18 5 API calls 43364->43365 43366 31ecf28 5 API calls 43364->43366 43365->43363 43366->43363 43376 31eada8 43367->43376 43384 31ead97 43367->43384 43368 31eacbf 43368->43354 43372 31eacb0 43371->43372 43374 31eada8 2 API calls 43372->43374 43375 31ead97 2 API calls 43372->43375 43373 31eacbf 43373->43354 43374->43373 43375->43373 43377 31eadb9 43376->43377 43378 31eaddc 43376->43378 43377->43378 43392 31eb040 43377->43392 43396 31eb031 43377->43396 43378->43368 43379 31eadd4 43379->43378 43380 31eafe0 GetModuleHandleW 43379->43380 43381 31eb00d 43380->43381 43381->43368 43385 31eadb9 43384->43385 43386 31eaddc 43384->43386 43385->43386 43390 31eb040 LoadLibraryExW 43385->43390 43391 31eb031 LoadLibraryExW 43385->43391 43386->43368 43387 31eadd4 43387->43386 43388 31eafe0 GetModuleHandleW 43387->43388 43389 31eb00d 43388->43389 43389->43368 43390->43387 43391->43387 43393 31eb054 43392->43393 43395 31eb079 43393->43395 43400 31ea130 43393->43400 43395->43379 43397 31eb040 43396->43397 43398 31ea130 LoadLibraryExW 43397->43398 43399 31eb079 43397->43399 43398->43399 43399->43379 43401 31eb220 LoadLibraryExW 43400->43401 43403 31eb299 43401->43403 43403->43395 43405 31ecf28 43404->43405 43406 31ecf6f 43405->43406 43412 31ebae0 43405->43412 43406->43359 43409 31ecf2d 43408->43409 43410 31ecf6f 43409->43410 43411 31ebae0 5 API calls 43409->43411 43410->43359 43411->43410 43413 31ebaeb 43412->43413 43415 31edc88 43413->43415 43416 31ed2dc 43413->43416 43415->43415 43417 31ed2e7 43416->43417 43418 31e5cc4 5 API calls 43417->43418 43419 31edcf7 43418->43419 43423 31efa70 43419->43423 43429 31efa88 43419->43429 43420 31edd31 43420->43415 43424 31efab9 43423->43424 43426 31efbb9 43423->43426 43425 31efac5 43424->43425 43435 57909c0 43424->43435 43440 57909b2 43424->43440 43425->43420 43426->43420 43431 31efab9 43429->43431 43432 31efbb9 43429->43432 43430 31efac5 43430->43420 43431->43430 43433 57909c0 2 API calls 43431->43433 43434 57909b2 2 API calls 43431->43434 43432->43420 43433->43432 43434->43432 43436 57909eb 43435->43436 43437 5790a9a 43436->43437 43445 57918a0 43436->43445 43449 5791890 43436->43449 43441 57909c0 43440->43441 43442 5790a9a 43441->43442 43443 57918a0 2 API calls 43441->43443 43444 5791890 2 API calls 43441->43444 43443->43442 43444->43442 43447 57918f0 CreateWindowExW 43445->43447 43448 57918e4 CreateWindowExW 43445->43448 43446 57918d5 43446->43437 43447->43446 43448->43446 43450 57918a0 43449->43450 43452 57918f0 CreateWindowExW 43450->43452 43453 57918e4 CreateWindowExW 43450->43453 43451 57918d5 43451->43437 43452->43451 43453->43451 43454 17dd01c 43455 17dd034 43454->43455 43456 17dd08e 43455->43456 43461 5792809 43455->43461 43467 5792818 43455->43467 43472 5791a98 43455->43472 43477 5791aa8 43455->43477 43462 57927ff 43461->43462 43463 5792812 43461->43463 43462->43456 43464 5792877 43463->43464 43482 57929a0 43463->43482 43487 5792990 43463->43487 43468 5792845 43467->43468 43469 5792877 43468->43469 43470 57929a0 2 API calls 43468->43470 43471 5792990 2 API calls 43468->43471 43470->43469 43471->43469 43473 5791aa8 43472->43473 43475 5792809 2 API calls 43473->43475 43476 5792818 2 API calls 43473->43476 43474 5791aef 43474->43456 43475->43474 43476->43474 43478 5791ace 43477->43478 43480 5792809 2 API calls 43478->43480 43481 5792818 2 API calls 43478->43481 43479 5791aef 43479->43456 43480->43479 43481->43479 43484 57929b4 43482->43484 43483 5792a40 43483->43464 43492 5792a58 43484->43492 43495 5792a48 43484->43495 43489 57929b4 43487->43489 43488 5792a40 43488->43464 43490 5792a58 2 API calls 43489->43490 43491 5792a48 2 API calls 43489->43491 43490->43488 43491->43488 43493 5792a69 43492->43493 43499 579401b 43492->43499 43493->43483 43496 5792a58 43495->43496 43497 579401b 2 API calls 43496->43497 43498 5792a69 43496->43498 43497->43498 43498->43483 43503 5794040 43499->43503 43507 5794030 43499->43507 43500 579402a 43500->43493 43504 5794045 43503->43504 43505 57940da CallWindowProcW 43504->43505 43506 5794089 43504->43506 43505->43506 43506->43500 43508 5794040 43507->43508 43509 57940da CallWindowProcW 43508->43509 43510 5794089 43508->43510 43509->43510 43510->43500 43265 e55091a 43269 e5526f0 43265->43269 43272 e5526eb 43265->43272 43266 e55092b 43270 e552738 VirtualProtect 43269->43270 43271 e552772 43270->43271 43271->43266 43273 e5526f0 VirtualProtect 43272->43273 43275 e552772 43273->43275 43275->43266 43077 18a403a 43078 18a404a 43077->43078 43079 18a3fe6 43077->43079 43079->43077 43082 18a68a8 43079->43082 43100 18a68b0 43079->43100 43083 18a68ca 43082->43083 43084 18a68ee 43083->43084 43118 18a6dab 43083->43118 43124 18a6e55 43083->43124 43133 18a7154 43083->43133 43137 18a72f7 43083->43137 43141 18a6cd7 43083->43141 43149 18a6d51 43083->43149 43155 18a6ebc 43083->43155 43160 18a72dc 43083->43160 43166 18a7499 43083->43166 43171 18a7698 43083->43171 43175 18a7118 43083->43175 43181 18a76e5 43083->43181 43186 18a6d2d 43083->43186 43192 18a6ded 43083->43192 43200 18a726e 43083->43200 43084->43079 43101 18a68ca 43100->43101 43102 18a68ee 43101->43102 43103 18a6dab 2 API calls 43101->43103 43104 18a726e 2 API calls 43101->43104 43105 18a6ded 4 API calls 43101->43105 43106 18a6d2d 2 API calls 43101->43106 43107 18a76e5 2 API calls 43101->43107 43108 18a7118 2 API calls 43101->43108 43109 18a7698 2 API calls 43101->43109 43110 18a7499 2 API calls 43101->43110 43111 18a72dc 2 API calls 43101->43111 43112 18a6ebc 2 API calls 43101->43112 43113 18a6d51 2 API calls 43101->43113 43114 18a6cd7 4 API calls 43101->43114 43115 18a72f7 2 API calls 43101->43115 43116 18a7154 2 API calls 43101->43116 43117 18a6e55 4 API calls 43101->43117 43102->43079 43103->43102 43104->43102 43105->43102 43106->43102 43107->43102 43108->43102 43109->43102 43110->43102 43111->43102 43112->43102 43113->43102 43114->43102 43115->43102 43116->43102 43117->43102 43119 18a6d39 43118->43119 43119->43118 43121 18a737a 43119->43121 43204 18a2f78 43119->43204 43208 18a2f70 43119->43208 43120 18a7711 43120->43084 43121->43084 43125 18a6e62 43124->43125 43128 18a6d39 43125->43128 43212 18a31b9 43125->43212 43216 18a31c0 43125->43216 43126 18a7711 43126->43084 43127 18a737a 43127->43084 43128->43127 43129 18a2f78 ResumeThread 43128->43129 43130 18a2f70 ResumeThread 43128->43130 43129->43126 43130->43126 43134 18a7159 43133->43134 43220 18a3100 43134->43220 43224 18a30f9 43134->43224 43228 18a3028 43137->43228 43232 18a3020 43137->43232 43138 18a7311 43236 18a3848 43141->43236 43240 18a383c 43141->43240 43142 18a6d0e 43142->43084 43143 18a737a 43142->43143 43147 18a2f78 ResumeThread 43142->43147 43148 18a2f70 ResumeThread 43142->43148 43143->43084 43144 18a7711 43144->43084 43147->43144 43148->43144 43150 18a6d39 43149->43150 43151 18a737a 43150->43151 43153 18a2f78 ResumeThread 43150->43153 43154 18a2f70 ResumeThread 43150->43154 43151->43084 43152 18a7711 43152->43084 43153->43152 43154->43152 43156 18a6ed6 43155->43156 43158 18a2f78 ResumeThread 43156->43158 43159 18a2f70 ResumeThread 43156->43159 43157 18a7711 43157->43084 43158->43157 43159->43157 43161 18a72e2 43160->43161 43162 18a761e 43161->43162 43164 18a31b9 WriteProcessMemory 43161->43164 43165 18a31c0 WriteProcessMemory 43161->43165 43163 18a6eb8 43163->43084 43164->43163 43165->43163 43167 18a749f 43166->43167 43169 18a31b9 WriteProcessMemory 43167->43169 43170 18a31c0 WriteProcessMemory 43167->43170 43168 18a6eb8 43168->43084 43169->43168 43170->43168 43173 18a31b9 WriteProcessMemory 43171->43173 43174 18a31c0 WriteProcessMemory 43171->43174 43172 18a76c6 43173->43172 43174->43172 43177 18a6d39 43175->43177 43176 18a737a 43176->43084 43177->43176 43179 18a2f78 ResumeThread 43177->43179 43180 18a2f70 ResumeThread 43177->43180 43178 18a7711 43178->43084 43179->43178 43180->43178 43182 18a76eb 43181->43182 43184 18a2f78 ResumeThread 43182->43184 43185 18a2f70 ResumeThread 43182->43185 43183 18a7711 43183->43084 43184->43183 43185->43183 43187 18a6d39 43186->43187 43188 18a737a 43187->43188 43190 18a2f78 ResumeThread 43187->43190 43191 18a2f70 ResumeThread 43187->43191 43188->43084 43189 18a7711 43189->43084 43190->43189 43191->43189 43244 18a32a8 43192->43244 43248 18a32b0 43192->43248 43193 18a6d39 43194 18a737a 43193->43194 43198 18a2f78 ResumeThread 43193->43198 43199 18a2f70 ResumeThread 43193->43199 43194->43084 43195 18a7711 43195->43084 43198->43195 43199->43195 43202 18a3028 Wow64SetThreadContext 43200->43202 43203 18a3020 Wow64SetThreadContext 43200->43203 43201 18a7288 43202->43201 43203->43201 43205 18a2fb8 ResumeThread 43204->43205 43207 18a2fe9 43205->43207 43207->43120 43209 18a2fb8 ResumeThread 43208->43209 43211 18a2fe9 43209->43211 43211->43120 43213 18a31c0 WriteProcessMemory 43212->43213 43215 18a325f 43213->43215 43215->43128 43217 18a3208 WriteProcessMemory 43216->43217 43219 18a325f 43217->43219 43219->43128 43221 18a3140 VirtualAllocEx 43220->43221 43223 18a317d 43221->43223 43223->43134 43225 18a3100 VirtualAllocEx 43224->43225 43227 18a317d 43225->43227 43227->43134 43229 18a306d Wow64SetThreadContext 43228->43229 43231 18a30b5 43229->43231 43231->43138 43233 18a3026 Wow64SetThreadContext 43232->43233 43235 18a30b5 43233->43235 43235->43138 43237 18a38d1 43236->43237 43237->43237 43238 18a3a36 CreateProcessA 43237->43238 43239 18a3a93 43238->43239 43241 18a38d1 43240->43241 43241->43241 43242 18a3a36 CreateProcessA 43241->43242 43243 18a3a93 43242->43243 43245 18a32fb ReadProcessMemory 43244->43245 43247 18a333f 43245->43247 43247->43193 43249 18a32fb ReadProcessMemory 43248->43249 43251 18a333f 43249->43251 43251->43193 43276 e551a05 43278 e5526f0 VirtualProtect 43276->43278 43279 e5526eb VirtualProtect 43276->43279 43277 e551a19 43278->43277 43279->43277 43515 18a7c7e 43516 18a7c70 43515->43516 43517 18a7c76 43516->43517 43518 18a7dc0 PostMessageW 43516->43518 43518->43517 43519 31e4668 43520 31e467a 43519->43520 43521 31e4686 43520->43521 43525 31e4778 43520->43525 43530 31e3e34 43521->43530 43523 31e46a5 43526 31e479d 43525->43526 43534 31e4888 43526->43534 43538 31e4879 43526->43538 43531 31e3e3f 43530->43531 43546 31e5c44 43531->43546 43533 31e7048 43533->43523 43536 31e48af 43534->43536 43535 31e498c 43535->43535 43536->43535 43542 31e44b4 43536->43542 43540 31e4888 43538->43540 43539 31e498c 43540->43539 43541 31e44b4 CreateActCtxA 43540->43541 43541->43539 43543 31e5918 CreateActCtxA 43542->43543 43545 31e59db 43543->43545 43547 31e5c49 43546->43547 43550 31e5c64 43547->43550 43549 31e70ed 43549->43533 43551 31e5c6f 43550->43551 43554 31e5c94 43551->43554 43553 31e71c2 43553->43549 43555 31e5c9f 43554->43555 43556 31e5cc4 5 API calls 43555->43556 43557 31e72c5 43556->43557 43557->43553 43252 18a7ab0 43253 18a7ab5 43252->43253 43254 18a7c3b 43253->43254 43258 18a3570 43253->43258 43257 18a7c76 43254->43257 43261 18a7dc0 43254->43261 43259 18a7d30 PostMessageW 43258->43259 43260 18a7d9c 43259->43260 43260->43253 43262 18a7d4e PostMessageW 43261->43262 43264 18a7dc7 43261->43264 43263 18a7d9c 43262->43263 43263->43257 43290 e551488 43291 e551453 43290->43291 43292 e55148c 43290->43292 43293 e55145e 43291->43293 43294 e5526f0 VirtualProtect 43291->43294 43295 e5526eb VirtualProtect 43291->43295 43294->43293 43295->43293 43296 31ed040 43297 31ed086 43296->43297 43301 31ed618 43297->43301 43305 31ed628 43297->43305 43298 31ed173 43302 31ed628 43301->43302 43309 31ed27c 43302->43309 43306 31ed62d 43305->43306 43307 31ed27c DuplicateHandle 43306->43307 43308 31ed656 43307->43308 43308->43298 43310 31ed690 DuplicateHandle 43309->43310 43312 31ed656 43310->43312 43312->43298

                                      Executed Functions

                                      Function 0E552CE8 Relevance: 5.5, Strings: 4, Instructions: 497COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 0 e552ce8-e552d13 1 e552d15 0->1 2 e552d1a-e552d62 0->2 1->2 3 e552d63 2->3 4 e552d6a-e552d86 3->4 5 e552d8f-e552d90 4->5 6 e552d88 4->6 12 e552d92 5->12 13 e552df2-e552e3a 5->13 6->3 7 e553034-e553047 6->7 8 e552ef4-e552f07 6->8 9 e552db1-e552dc4 6->9 10 e553070-e55308d 6->10 11 e5530f3 6->11 6->12 6->13 14 e552e3d 6->14 15 e55311c 6->15 16 e552f7e-e552fa5 6->16 17 e5530de-e5530f1 6->17 18 e5530be-e5530dc 6->18 19 e552e9b 6->19 20 e552dc6 6->20 21 e552e81-e552e9a 6->21 22 e552f40-e552f52 6->22 23 e552fc2-e552fd4 6->23 24 e552ecd-e552ef2 6->24 25 e552e6c-e552e7f 6->25 26 e55304c-e55306b 6->26 27 e55308f 6->27 28 e552f09-e552f0d 6->28 29 e552faa-e552fbd 6->29 31 e552ea2-e552ebe 7->31 8->31 9->4 10->11 10->27 11->15 121 e552d97 call e553589 12->121 122 e552d97 call e553598 12->122 13->14 30 e552e44-e552e60 14->30 34 e553123-e55313f 15->34 16->31 33 e553096-e5530b2 17->33 18->33 19->31 127 e552dc6 call e5535d8 20->127 128 e552dc6 call e5535c8 20->128 21->19 37 e552f65-e552f6c 22->37 38 e552f54-e552f63 22->38 123 e552fda call e5542b9 23->123 124 e552fda call e5542c8 23->124 24->31 25->30 26->31 27->33 35 e552f20-e552f27 28->35 36 e552f0f-e552f1e 28->36 29->31 39 e552e62 30->39 40 e552e69-e552e6a 30->40 44 e552ec7-e552ec8 31->44 45 e552ec0 31->45 42 e5530b4 33->42 43 e5530bb-e5530bc 33->43 49 e553141 34->49 50 e553148-e553149 34->50 48 e552f2e-e552f3b 35->48 36->48 51 e552f73-e552f79 37->51 38->51 39->7 39->8 39->10 39->11 39->14 39->15 39->16 39->17 39->18 39->19 39->21 39->22 39->23 39->24 39->25 39->26 39->27 39->28 39->29 57 e55317d 39->57 58 e5531ef-e5531f2 39->58 59 e553168-e55317b 39->59 60 e55314b-e553166 39->60 40->21 40->25 42->11 42->15 42->17 42->18 42->27 42->57 42->58 42->59 42->60 43->11 43->18 44->10 44->24 45->7 45->8 45->10 45->11 45->15 45->16 45->17 45->18 45->19 45->22 45->23 45->24 45->26 45->27 45->28 45->29 45->57 45->58 45->59 45->60 48->31 49->15 49->57 49->58 49->59 49->60 61 e553255 49->61 62 e553276-e55331f 49->62 63 e5531d3 49->63 64 e5534df-e5534e7 49->64 65 e55334e-e5533bf 49->65 66 e553198 49->66 50->57 50->60 51->31 52 e552d9d-e552daf 52->4 54 e552dcc-e552ded 54->4 57->66 115 e5531f5 call e557a28 58->115 116 e5531f5 call e5579da 58->116 59->34 60->34 129 e553258 call e55a899 61->129 130 e553258 call e55a8a8 61->130 119 e553322 call e5542b9 62->119 120 e553322 call e5542c8 62->120 111 e5531d5 call 18a7a60 63->111 112 e5531d5 call 18a7a70 63->112 113 e5533c5 call e556bf0 65->113 114 e5533c5 call e556beb 65->114 67 e55319f-e5531bb 66->67 74 e5531cd-e5531ce 67->74 75 e5531bd 67->75 68 e552fe0-e552feb 79 e552ff6-e55302f 68->79 70 e5531fb-e553212 117 e553217 call e559278 70->117 118 e553217 call e55926b 70->118 71 e55325e-e553271 71->67 74->63 74->64 75->58 75->61 75->62 75->63 75->64 75->65 75->66 77 e5531db-e5531ed 77->67 79->31 80 e55321d-e553223 125 e553229 call e559e08 80->125 126 e553229 call e559df8 80->126 84 e55322f-e553250 84->67 89 e5533cb-e5533d8 91 e553402 89->91 92 e5533da-e5533e6 89->92 95 e553408-e553419 91->95 93 e5533f0-e5533f6 92->93 94 e5533e8-e5533ee 92->94 97 e553400 93->97 94->97 98 e553424-e553495 95->98 97->95 105 e553497-e5534a3 98->105 106 e5534bf 98->106 101 e553328-e553349 101->67 107 e5534a5-e5534ab 105->107 108 e5534ad-e5534b3 105->108 109 e5534c5-e5534da 106->109 110 e5534bd 107->110 108->110 109->67 110->109 111->77 112->77 113->89 114->89 115->70 116->70 117->80 118->80 119->101 120->101 121->52 122->52 123->68 124->68 125->84 126->84 127->54 128->54 129->71 130->71
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1288593140.000000000E550000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E550000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e550000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: /V-+$^f6$Zku$`yT
                                      • API String ID: 0-1940165033
                                      • Opcode ID: 793d1c03edb56f4dd2bd2af844b8a930d0319d17811b2234d20c6e3e1d1e46d5
                                      • Instruction ID: 0f377425dfa90967182ea675f3c981b4649373be275c2c11a647c4aeb0fb0aaf
                                      • Opcode Fuzzy Hash: 793d1c03edb56f4dd2bd2af844b8a930d0319d17811b2234d20c6e3e1d1e46d5
                                      • Instruction Fuzzy Hash: 62220675E15219CFDB24CFA6D99479DBBF2BB89340F10C8AAD80AAB354DB305981CF14
                                      Function 0E552CD9 Relevance: 5.5, Strings: 4, Instructions: 477COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 131 e552cd9-e552d13 133 e552d15 131->133 134 e552d1a-e552d62 131->134 133->134 135 e552d63 134->135 136 e552d6a-e552d86 135->136 137 e552d8f-e552d90 136->137 138 e552d88 136->138 144 e552d92 137->144 145 e552df2-e552e3a 137->145 138->135 139 e553034-e553047 138->139 140 e552ef4-e552f07 138->140 141 e552db1-e552dc4 138->141 142 e553070-e55308d 138->142 143 e5530f3 138->143 138->144 138->145 146 e552e3d 138->146 147 e55311c 138->147 148 e552f7e-e552fa5 138->148 149 e5530de-e5530f1 138->149 150 e5530be-e5530dc 138->150 151 e552e9b 138->151 152 e552dc6 138->152 153 e552e81-e552e9a 138->153 154 e552f40-e552f52 138->154 155 e552fc2-e552fd4 138->155 156 e552ecd-e552ef2 138->156 157 e552e6c-e552e7f 138->157 158 e55304c-e55306b 138->158 159 e55308f 138->159 160 e552f09-e552f0d 138->160 161 e552faa-e552fbd 138->161 163 e552ea2-e552ebe 139->163 140->163 141->136 142->143 142->159 143->147 245 e552d97 call e553589 144->245 246 e552d97 call e553598 144->246 145->146 162 e552e44-e552e60 146->162 166 e553123-e55313f 147->166 148->163 165 e553096-e5530b2 149->165 150->165 151->163 251 e552dc6 call e5535d8 152->251 252 e552dc6 call e5535c8 152->252 153->151 169 e552f65-e552f6c 154->169 170 e552f54-e552f63 154->170 247 e552fda call e5542b9 155->247 248 e552fda call e5542c8 155->248 156->163 157->162 158->163 159->165 167 e552f20-e552f27 160->167 168 e552f0f-e552f1e 160->168 161->163 171 e552e62 162->171 172 e552e69-e552e6a 162->172 176 e552ec7-e552ec8 163->176 177 e552ec0 163->177 174 e5530b4 165->174 175 e5530bb-e5530bc 165->175 181 e553141 166->181 182 e553148-e553149 166->182 180 e552f2e-e552f3b 167->180 168->180 183 e552f73-e552f79 169->183 170->183 171->139 171->140 171->142 171->143 171->146 171->147 171->148 171->149 171->150 171->151 171->153 171->154 171->155 171->156 171->157 171->158 171->159 171->160 171->161 189 e55317d 171->189 190 e5531ef-e5531f2 171->190 191 e553168-e55317b 171->191 192 e55314b-e553166 171->192 172->153 172->157 174->143 174->147 174->149 174->150 174->159 174->189 174->190 174->191 174->192 175->143 175->150 176->142 176->156 177->139 177->140 177->142 177->143 177->147 177->148 177->149 177->150 177->151 177->154 177->155 177->156 177->158 177->159 177->160 177->161 177->189 177->190 177->191 177->192 180->163 181->147 181->189 181->190 181->191 181->192 193 e553255 181->193 194 e553276-e55331f 181->194 195 e5531d3 181->195 196 e5534df-e5534e7 181->196 197 e55334e-e5533bf 181->197 198 e553198 181->198 182->189 182->192 183->163 184 e552d9d-e552daf 184->136 186 e552dcc-e552ded 186->136 189->198 259 e5531f5 call e557a28 190->259 260 e5531f5 call e5579da 190->260 191->166 192->166 253 e553258 call e55a899 193->253 254 e553258 call e55a8a8 193->254 243 e553322 call e5542b9 194->243 244 e553322 call e5542c8 194->244 255 e5531d5 call 18a7a60 195->255 256 e5531d5 call 18a7a70 195->256 257 e5533c5 call e556bf0 197->257 258 e5533c5 call e556beb 197->258 199 e55319f-e5531bb 198->199 206 e5531cd-e5531ce 199->206 207 e5531bd 199->207 200 e552fe0-e552feb 211 e552ff6-e55302f 200->211 202 e5531fb-e553212 261 e553217 call e559278 202->261 262 e553217 call e55926b 202->262 203 e55325e-e553271 203->199 206->195 206->196 207->190 207->193 207->194 207->195 207->196 207->197 207->198 209 e5531db-e5531ed 209->199 211->163 212 e55321d-e553223 249 e553229 call e559e08 212->249 250 e553229 call e559df8 212->250 216 e55322f-e553250 216->199 221 e5533cb-e5533d8 223 e553402 221->223 224 e5533da-e5533e6 221->224 227 e553408-e553419 223->227 225 e5533f0-e5533f6 224->225 226 e5533e8-e5533ee 224->226 229 e553400 225->229 226->229 230 e553424-e553495 227->230 229->227 237 e553497-e5534a3 230->237 238 e5534bf 230->238 233 e553328-e553349 233->199 239 e5534a5-e5534ab 237->239 240 e5534ad-e5534b3 237->240 241 e5534c5-e5534da 238->241 242 e5534bd 239->242 240->242 241->199 242->241 243->233 244->233 245->184 246->184 247->200 248->200 249->216 250->216 251->186 252->186 253->203 254->203 255->209 256->209 257->221 258->221 259->202 260->202 261->212 262->212
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1288593140.000000000E550000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E550000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e550000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: /V-+$^f6$Zku$`yT
                                      • API String ID: 0-1940165033
                                      • Opcode ID: daaabb263ee3f06f01869dba07d79ea53d4d5147de6a8adb75a9828d10b8449a
                                      • Instruction ID: cedb69c6433fc77e7cff7ffa8b0dad325f00b155bb7d417992be367e34e83c09
                                      • Opcode Fuzzy Hash: daaabb263ee3f06f01869dba07d79ea53d4d5147de6a8adb75a9828d10b8449a
                                      • Instruction Fuzzy Hash: 9F220575E15219CFDB14CFA6D99479DBBF2BB89300F14C8AAD80AAB354DB309981CF14
                                      Function 0E55310D Relevance: 4.0, Strings: 3, Instructions: 215COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 263 e55310d-e553114 264 e5530f6-e55310b 263->264 265 e553116-e55311a 263->265 264->265 267 e55317d 265->267 268 e55311c 265->268 272 e553198 267->272 269 e553123-e55313f 268->269 270 e553141 269->270 271 e553148-e553149 269->271 270->267 270->268 270->272 273 e55314b-e553166 270->273 274 e553255 270->274 275 e553276-e55331f 270->275 276 e5531d3 270->276 277 e5531ef-e5531f2 270->277 278 e5534df-e5534e7 270->278 279 e55334e-e5533bf 270->279 280 e553168-e55317b 270->280 271->267 271->273 281 e55319f-e5531bb 272->281 273->269 326 e553258 call e55a899 274->326 327 e553258 call e55a8a8 274->327 322 e553322 call e5542b9 275->322 323 e553322 call e5542c8 275->323 332 e5531d5 call 18a7a60 276->332 333 e5531d5 call 18a7a70 276->333 330 e5531f5 call e557a28 277->330 331 e5531f5 call e5579da 277->331 320 e5533c5 call e556bf0 279->320 321 e5533c5 call e556beb 279->321 280->269 282 e5531cd-e5531ce 281->282 283 e5531bd 281->283 282->276 282->278 283->272 283->274 283->275 283->276 283->277 283->278 283->279 284 e5531fb-e553212 324 e553217 call e559278 284->324 325 e553217 call e55926b 284->325 286 e55325e-e553271 286->281 289 e5531db-e5531ed 289->281 290 e55321d-e553223 328 e553229 call e559e08 290->328 329 e553229 call e559df8 290->329 293 e55322f-e553250 293->281 299 e5533cb-e5533d8 300 e553402 299->300 301 e5533da-e5533e6 299->301 305 e553408-e553419 300->305 303 e5533f0-e5533f6 301->303 304 e5533e8-e5533ee 301->304 306 e553400 303->306 304->306 308 e553424-e553495 305->308 306->305 314 e553497-e5534a3 308->314 315 e5534bf 308->315 309 e553328-e553349 309->281 316 e5534a5-e5534ab 314->316 317 e5534ad-e5534b3 314->317 318 e5534c5-e5534da 315->318 319 e5534bd 316->319 317->319 318->281 319->318 320->299 321->299 322->309 323->309 324->290 325->290 326->286 327->286 328->293 329->293 330->284 331->284 332->289 333->289
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1288593140.000000000E550000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E550000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e550000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: /V-+$^f6$Zku
                                      • API String ID: 0-867436096
                                      • Opcode ID: 647f2591b3243576d29331da543ee75c6253c27fe4e01bc5c26614ccac616a2c
                                      • Instruction ID: d9f9b8c1ee63760fc6cc2abf68f5f7142531ceb3df17e94becae999d755b5fa9
                                      • Opcode Fuzzy Hash: 647f2591b3243576d29331da543ee75c6253c27fe4e01bc5c26614ccac616a2c
                                      • Instruction Fuzzy Hash: D3A1E874E05219CFDB24CFA5C954BADBBB2FB48340F1088AAD80AAB354DB315E81CF54
                                      Function 0E5530F8 Relevance: 4.0, Strings: 3, Instructions: 211COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 334 e5530f8-e55311a 336 e55317d 334->336 337 e55311c 334->337 341 e553198 336->341 338 e553123-e55313f 337->338 339 e553141 338->339 340 e553148-e553149 338->340 339->336 339->337 339->341 342 e55314b-e553166 339->342 343 e553255 339->343 344 e553276-e55331f 339->344 345 e5531d3 339->345 346 e5531ef-e5531f2 339->346 347 e5534df-e5534e7 339->347 348 e55334e-e5533bf 339->348 349 e553168-e55317b 339->349 340->336 340->342 350 e55319f-e5531bb 341->350 342->338 395 e553258 call e55a899 343->395 396 e553258 call e55a8a8 343->396 391 e553322 call e5542b9 344->391 392 e553322 call e5542c8 344->392 401 e5531d5 call 18a7a60 345->401 402 e5531d5 call 18a7a70 345->402 399 e5531f5 call e557a28 346->399 400 e5531f5 call e5579da 346->400 389 e5533c5 call e556bf0 348->389 390 e5533c5 call e556beb 348->390 349->338 351 e5531cd-e5531ce 350->351 352 e5531bd 350->352 351->345 351->347 352->341 352->343 352->344 352->345 352->346 352->347 352->348 353 e5531fb-e553212 393 e553217 call e559278 353->393 394 e553217 call e55926b 353->394 355 e55325e-e553271 355->350 358 e5531db-e5531ed 358->350 359 e55321d-e553223 397 e553229 call e559e08 359->397 398 e553229 call e559df8 359->398 362 e55322f-e553250 362->350 368 e5533cb-e5533d8 369 e553402 368->369 370 e5533da-e5533e6 368->370 374 e553408-e553419 369->374 372 e5533f0-e5533f6 370->372 373 e5533e8-e5533ee 370->373 375 e553400 372->375 373->375 377 e553424-e553495 374->377 375->374 383 e553497-e5534a3 377->383 384 e5534bf 377->384 378 e553328-e553349 378->350 385 e5534a5-e5534ab 383->385 386 e5534ad-e5534b3 383->386 387 e5534c5-e5534da 384->387 388 e5534bd 385->388 386->388 387->350 388->387 389->368 390->368 391->378 392->378 393->359 394->359 395->355 396->355 397->362 398->362 399->353 400->353 401->358 402->358
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1288593140.000000000E550000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E550000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e550000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: /V-+$^f6$Zku
                                      • API String ID: 0-867436096
                                      • Opcode ID: a6611c1cba680ee8c6bfbe0ce5722f2fe8402460490b32bc9080816044ea7235
                                      • Instruction ID: b0c81d4a12cbca510715331040e298771fab1288bdde98dc24c079d8ce34968d
                                      • Opcode Fuzzy Hash: a6611c1cba680ee8c6bfbe0ce5722f2fe8402460490b32bc9080816044ea7235
                                      • Instruction Fuzzy Hash: 67A1E874E05219CFDB24DFA5C954BADBBB2FB88340F1089AAD80AAB354DB315D81CF50
                                      Function 0E553180 Relevance: 3.9, Strings: 3, Instructions: 181COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 403 e553180-e553195 405 e553198 403->405 406 e55319f-e5531bb 405->406 407 e5531cd-e5531ce 406->407 408 e5531bd 406->408 409 e5531d3 407->409 410 e5534df-e5534e7 407->410 408->405 408->409 408->410 411 e553255 408->411 412 e553276-e55331f 408->412 413 e5531ef-e5531f2 408->413 414 e55334e-e5533bf 408->414 454 e5531d5 call 18a7a60 409->454 455 e5531d5 call 18a7a70 409->455 450 e553258 call e55a899 411->450 451 e553258 call e55a8a8 411->451 460 e553322 call e5542b9 412->460 461 e553322 call e5542c8 412->461 456 e5531f5 call e557a28 413->456 457 e5531f5 call e5579da 413->457 458 e5533c5 call e556bf0 414->458 459 e5533c5 call e556beb 414->459 415 e5531fb-e553212 462 e553217 call e559278 415->462 463 e553217 call e55926b 415->463 416 e55325e-e553271 416->406 419 e5531db-e5531ed 419->406 420 e55321d-e553223 452 e553229 call e559e08 420->452 453 e553229 call e559df8 420->453 423 e55322f-e553250 423->406 429 e5533cb-e5533d8 430 e553402 429->430 431 e5533da-e5533e6 429->431 435 e553408-e553419 430->435 433 e5533f0-e5533f6 431->433 434 e5533e8-e5533ee 431->434 436 e553400 433->436 434->436 438 e553424-e553495 435->438 436->435 444 e553497-e5534a3 438->444 445 e5534bf 438->445 439 e553328-e553349 439->406 446 e5534a5-e5534ab 444->446 447 e5534ad-e5534b3 444->447 448 e5534c5-e5534da 445->448 449 e5534bd 446->449 447->449 448->406 449->448 450->416 451->416 452->423 453->423 454->419 455->419 456->415 457->415 458->429 459->429 460->439 461->439 462->420 463->420
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1288593140.000000000E550000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E550000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e550000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: /V-+$^f6$Zku
                                      • API String ID: 0-867436096
                                      • Opcode ID: 21553f0b2fadf7ea62b916e0bc7b8273204614ef50941b4ca5464760c0401333
                                      • Instruction ID: a343cbee52bbc2e05c3ce48ebda16d3808bb0a1501f524bb35bcab590b8d0c31
                                      • Opcode Fuzzy Hash: 21553f0b2fadf7ea62b916e0bc7b8273204614ef50941b4ca5464760c0401333
                                      • Instruction Fuzzy Hash: E691C374E15229CFDB64DF65C954BADBBB2FB88200F1085AAD80EAB344DB315E81CF10
                                      Function 05797198 Relevance: 2.7, Strings: 1, Instructions: 1452COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 464 5797198-57971c3 467 57971ca-57973e2 call 5796bb4 call 5796f78 call 5796f88 * 2 call 5796f78 call 5796f88 call 5796f98 call 5796bb4 464->467 468 57971c5 464->468 507 57974b7-57974d0 467->507 468->467 508 57973e7-5797415 507->508 509 57974d6-5797972 call 5796f88 call 5796f78 call 5796fb8 call 5796fc8 call 5796fd8 call 5796fe8 call 5796ff8 call 5797008 call 5797018 call 5797028 call 5796fb8 call 5797038 call 5796fc8 call 5796fd8 call 5796fe8 call 57931c0 507->509 515 579741c-579743b 508->515 516 5797417 508->516 579 5797979-57979a6 509->579 580 5797974 509->580 517 579743d 515->517 518 5797442-5797459 515->518 516->515 517->518 520 579745b 518->520 521 5797460-57974a5 call 5796fa8 518->521 520->521 528 57974ac-57974b4 521->528 529 57974a7 521->529 528->507 529->528 582 57979a8 579->582 583 57979ad-57979c6 579->583 580->579 582->583 585 57979c8 583->585 586 57979cd-5797a05 583->586 585->586 589 5797a0d-57988f3 call 5796fb8 call 5796fc8 call 5796fd8 call 5796fe8 call 5796fb8 call 5796fc8 call 5796fd8 call 5796fe8 call 5797018 call 5797028 call 5796fb8 call 5796fc8 call 5796fd8 call 5796fe8 call 5796fb8 call 5796fc8 call 5796fd8 call 5796fe8 call 5797048 call 5796fb8 call 5796fc8 call 5796fd8 call 5796fe8 call 5796fb8 call 5796fc8 call 5796fd8 call 5796fe8 call 5796ff8 call 5797008 call 5796fb8 call 5796fc8 call 5796fd8 call 5796fe8 call 5797018 call 5797028 call 5796fb8 call 5796fc8 call 5796fd8 call 5796fe8 call 5797058 call 5797068 call 5797078 call 5797088 * 10 586->589 754 579891d 589->754 755 57988f5-5798901 589->755 756 5798923-5798a16 call 5797098 call 57970a8 call 5796fc8 call 57970b8 call 57970c8 754->756 757 579890b-5798911 755->757 758 5798903-5798909 755->758 760 579891b 757->760 758->760 760->756
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1276474084.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_5790000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $Wq
                                      • API String ID: 0-3336791411
                                      • Opcode ID: 8998e9552113462abafdbaa3b5791db23a49de4cd71d191701823e376f9a8449
                                      • Instruction ID: 8c9b66001f8928455afe6edbd7789cf94886b5d34a121bdb5dd649066451ca14
                                      • Opcode Fuzzy Hash: 8998e9552113462abafdbaa3b5791db23a49de4cd71d191701823e376f9a8449
                                      • Instruction Fuzzy Hash: ECF2FA34A11619DFDB14DF64D898A9DB7B2FF89300F6182E9D8096B360DB31AE85CF50
                                      Function 0579718B Relevance: 2.6, Strings: 1, Instructions: 1391COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 775 579718b-5797192 776 5797199-579719c 775->776 777 5797194-5797196 775->777 778 579719d-57971c3 776->778 777->778 779 5797198 777->779 780 57971ca-5797219 778->780 781 57971c5 778->781 779->776 786 5797223-579722f call 5796bb4 780->786 781->780 788 5797234-579724b 786->788 790 5797255-5797261 call 5796f78 788->790 792 5797266-579727d 790->792 794 5797287-5797293 call 5796f88 792->794 796 5797298-57973e2 call 5796f88 call 5796f78 call 5796f88 call 5796f98 call 5796bb4 794->796 820 57974b7-57974d0 796->820 821 57973e7-5797415 820->821 822 57974d6-5797567 call 5796f88 call 5796f78 820->822 828 579741c-579743b 821->828 829 5797417 821->829 845 5797572-5797586 call 5796fb8 822->845 830 579743d 828->830 831 5797442-5797459 828->831 829->828 830->831 833 579745b 831->833 834 5797460-57974a5 call 5796fa8 831->834 833->834 841 57974ac-57974b4 834->841 842 57974a7 834->842 841->820 842->841 847 579758b-579762d call 5796fc8 845->847 852 5797637-5797651 call 5796fd8 847->852 854 5797656-5797700 call 5796fe8 call 5796ff8 call 5797008 call 5797018 852->854 865 5797705-5797719 call 5797028 854->865 867 579771e-5797746 865->867 868 5797751-579776b call 5796fb8 867->868 870 5797770-579790e call 5797038 call 5796fc8 call 5796fd8 call 5796fe8 call 57931c0 868->870 888 5797915-5797933 870->888 889 579793e-579794a 888->889 890 5797954-579795c 889->890 891 5797962-5797972 890->891 892 5797979-57979a6 891->892 893 5797974 891->893 895 57979a8 892->895 896 57979ad-57979c6 892->896 893->892 895->896 898 57979c8 896->898 899 57979cd-57979ec 896->899 898->899 901 57979f6-5797a05 899->901 902 5797a0d-57988f3 call 5796fb8 call 5796fc8 call 5796fd8 call 5796fe8 call 5796fb8 call 5796fc8 call 5796fd8 call 5796fe8 call 5797018 call 5797028 call 5796fb8 call 5796fc8 call 5796fd8 call 5796fe8 call 5796fb8 call 5796fc8 call 5796fd8 call 5796fe8 call 5797048 call 5796fb8 call 5796fc8 call 5796fd8 call 5796fe8 call 5796fb8 call 5796fc8 call 5796fd8 call 5796fe8 call 5796ff8 call 5797008 call 5796fb8 call 5796fc8 call 5796fd8 call 5796fe8 call 5797018 call 5797028 call 5796fb8 call 5796fc8 call 5796fd8 call 5796fe8 call 5797058 call 5797068 call 5797078 call 5797088 * 10 901->902 1067 579891d 902->1067 1068 57988f5-5798901 902->1068 1069 5798923-5798a16 call 5797098 call 57970a8 call 5796fc8 call 57970b8 call 57970c8 1067->1069 1070 579890b-5798911 1068->1070 1071 5798903-5798909 1068->1071 1073 579891b 1070->1073 1071->1073 1073->1069
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1276474084.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_5790000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $Wq
                                      • API String ID: 0-3336791411
                                      • Opcode ID: 74061d6a5db5c54b0fa016482e5902c5a790f1dfa4630ac8d0ab7259216ab634
                                      • Instruction ID: e39aedfed9c14bb4d9d50b442cec3b2ec27c36f33f5f8acd8a8f1f5a717bad1d
                                      • Opcode Fuzzy Hash: 74061d6a5db5c54b0fa016482e5902c5a790f1dfa4630ac8d0ab7259216ab634
                                      • Instruction Fuzzy Hash: 38E2FA34A11619DFDB24DF64D898B99B7B1FF89300F6182E9D4096B360DB31AE85CF50
                                      Function 018A8DF8 Relevance: .6, Instructions: 647COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1267902620.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_18a0000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0ccfe7f34e90d7b10f1be401a18f6da1e60f8019cd1fc71d5785fc634a52c84a
                                      • Instruction ID: acc0c428f42a05044d7dd55b4448cc7670b6192492f0910fce345dff484298ab
                                      • Opcode Fuzzy Hash: 0ccfe7f34e90d7b10f1be401a18f6da1e60f8019cd1fc71d5785fc634a52c84a
                                      • Instruction Fuzzy Hash: 8E32AD31B056048FEB19DB69C4A4BAEB7F6AF89304F54446DE206DB391CB35EE02CB51
                                      Function 031E4B01 Relevance: .3, Instructions: 264COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1268250652.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_31e0000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b163f62e5f3cbf6d84ae2c35adfa2e350a384962921bca08617ad6bd9a0542bc
                                      • Instruction ID: 993e26b3842af782857699d6e661e48c7c82c972c999e89bdf0db7b007a5b325
                                      • Opcode Fuzzy Hash: b163f62e5f3cbf6d84ae2c35adfa2e350a384962921bca08617ad6bd9a0542bc
                                      • Instruction Fuzzy Hash: 69912B53720940C7C725A1BB8C167AB16C5876E02CF0ACA999254DF3F2EB57C802A36F
                                      Function 0E559E08 Relevance: .2, Instructions: 248COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1288593140.000000000E550000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E550000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e550000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e82ad3541f3553c7e331f64eecc3b31969eac718d1736d91682b335142f5ddc0
                                      • Instruction ID: ad40dcaaade4bbd85adbe595a9ca6d605add5536ff89abc80d366326c50c85f1
                                      • Opcode Fuzzy Hash: e82ad3541f3553c7e331f64eecc3b31969eac718d1736d91682b335142f5ddc0
                                      • Instruction Fuzzy Hash: 64A1F775E05219DBDB18CFA6D89059EFBF2FF99300F20D92AD825AB264D7349906CF00
                                      Function 0E559DF8 Relevance: .2, Instructions: 245COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1288593140.000000000E550000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E550000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e550000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 59d790fe1f3079533d2d3ea3b585b3389ebc602e999795b0e8a0d685da0c064e
                                      • Instruction ID: 475b079516cbdfef32e7f7e85ec41e0f06076c00490094bc46966c67ae22fad4
                                      • Opcode Fuzzy Hash: 59d790fe1f3079533d2d3ea3b585b3389ebc602e999795b0e8a0d685da0c064e
                                      • Instruction Fuzzy Hash: BAA1F875E05219DFDB18CFA6D89059EFBF2BF99300F24D92AD825AB264D7349906CF00
                                      Function 0E559278 Relevance: .2, Instructions: 218COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1288593140.000000000E550000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E550000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e550000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 62ae8473fd268a6ca16f5af3bc71445f9120b7553cd53b23ddb9135369895d98
                                      • Instruction ID: 733d902cfb26b9a125b9f8710f0ea71ace56dba5112a33e4138b3f3a07b35f9e
                                      • Opcode Fuzzy Hash: 62ae8473fd268a6ca16f5af3bc71445f9120b7553cd53b23ddb9135369895d98
                                      • Instruction Fuzzy Hash: FA913771D05219DFCB18CFAAD89199EFBF2FF8A310F54992AD815AB254D7349942CF00
                                      Function 0E55926B Relevance: .2, Instructions: 215COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1288593140.000000000E550000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E550000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e550000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dd154f87a0744ba3bf53bd1b377797cec732e4cf4a76adf7ea63e0a808c41dfa
                                      • Instruction ID: b9de72e828181e2427b6e39196e9e273f200bfebaaab1add8126102af194229c
                                      • Opcode Fuzzy Hash: dd154f87a0744ba3bf53bd1b377797cec732e4cf4a76adf7ea63e0a808c41dfa
                                      • Instruction Fuzzy Hash: 6B913771D05219DFCB08CFAAD89199EFBF2FF8A310F14992AD815AB254D7389942CF00
                                      Function 018A8340 Relevance: .1, Instructions: 146COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1267902620.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_18a0000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a55dc277e9365631d19ba2339702af313c7af8adbe811a1754ffee56d76dc323
                                      • Instruction ID: 3eec4e1c09a0e6794934650537547e68c64ef93d61a13782c8777bb8e1f54a0a
                                      • Opcode Fuzzy Hash: a55dc277e9365631d19ba2339702af313c7af8adbe811a1754ffee56d76dc323
                                      • Instruction Fuzzy Hash: 71515D70E45219AFEB04CFA5C841AAEBBB1FB8A301F448569D515E7260D7388B41CB65
                                      Function 0E55E118 Relevance: .1, Instructions: 56COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1288593140.000000000E550000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E550000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e550000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e7142ca85565009eac6fc04b94f60a4b7dc53d84f1587fa804edc31e9b8b23fd
                                      • Instruction ID: 048a180e56c9121d72627db52d998dc44bf77ae4350c4c6cf59d6c6cbaebaaae
                                      • Opcode Fuzzy Hash: e7142ca85565009eac6fc04b94f60a4b7dc53d84f1587fa804edc31e9b8b23fd
                                      • Instruction Fuzzy Hash: F921B3B1D056189BEB18CF9BD8557DEFAF6BFC8300F14C46AD80866264EB7409468F90
                                      Function 018A718A Relevance: .0, Instructions: 30COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1267902620.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_18a0000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 411271901f685ff72c9ff38d328c2d685f9fbfbef72d717a7f9c66ab43384bfc
                                      • Instruction ID: 3cf8b2b736c26216c30911fb34478ee44ef32b7b8fb2ec4e75143cd06f90ff00
                                      • Opcode Fuzzy Hash: 411271901f685ff72c9ff38d328c2d685f9fbfbef72d717a7f9c66ab43384bfc
                                      • Instruction Fuzzy Hash: 43E0223AC0D248CFCB01EBA4A8A16F4BFB8EB1B315F8821E6C50DDB243E32146108A41
                                      Function 018A383C Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1111 18a383c-18a38dd 1113 18a38df-18a38e9 1111->1113 1114 18a3916-18a3936 1111->1114 1113->1114 1115 18a38eb-18a38ed 1113->1115 1121 18a3938-18a3942 1114->1121 1122 18a396f-18a399e 1114->1122 1116 18a38ef-18a38f9 1115->1116 1117 18a3910-18a3913 1115->1117 1119 18a38fb 1116->1119 1120 18a38fd-18a390c 1116->1120 1117->1114 1119->1120 1120->1120 1123 18a390e 1120->1123 1121->1122 1124 18a3944-18a3946 1121->1124 1128 18a39a0-18a39aa 1122->1128 1129 18a39d7-18a3a91 CreateProcessA 1122->1129 1123->1117 1126 18a3948-18a3952 1124->1126 1127 18a3969-18a396c 1124->1127 1130 18a3956-18a3965 1126->1130 1131 18a3954 1126->1131 1127->1122 1128->1129 1132 18a39ac-18a39ae 1128->1132 1142 18a3a9a-18a3b20 1129->1142 1143 18a3a93-18a3a99 1129->1143 1130->1130 1133 18a3967 1130->1133 1131->1130 1134 18a39b0-18a39ba 1132->1134 1135 18a39d1-18a39d4 1132->1135 1133->1127 1137 18a39be-18a39cd 1134->1137 1138 18a39bc 1134->1138 1135->1129 1137->1137 1139 18a39cf 1137->1139 1138->1137 1139->1135 1153 18a3b22-18a3b26 1142->1153 1154 18a3b30-18a3b34 1142->1154 1143->1142 1153->1154 1155 18a3b28 1153->1155 1156 18a3b36-18a3b3a 1154->1156 1157 18a3b44-18a3b48 1154->1157 1155->1154 1156->1157 1158 18a3b3c 1156->1158 1159 18a3b4a-18a3b4e 1157->1159 1160 18a3b58-18a3b5c 1157->1160 1158->1157 1159->1160 1163 18a3b50 1159->1163 1161 18a3b6e-18a3b75 1160->1161 1162 18a3b5e-18a3b64 1160->1162 1164 18a3b8c 1161->1164 1165 18a3b77-18a3b86 1161->1165 1162->1161 1163->1160 1167 18a3b8d 1164->1167 1165->1164 1167->1167
                                      APIs
                                      • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 018A3A7E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1267902620.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_18a0000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: CreateProcess
                                      • String ID:
                                      • API String ID: 963392458-0
                                      • Opcode ID: cbf5d3d05e647c16c792dbe29f905553acae6c215515d4925a2de2ab251ad95a
                                      • Instruction ID: d779052951bf25e80a4db02b6e454da61159f4f415186749e3053a6c9208dfcf
                                      • Opcode Fuzzy Hash: cbf5d3d05e647c16c792dbe29f905553acae6c215515d4925a2de2ab251ad95a
                                      • Instruction Fuzzy Hash: E0A14971D007198FEB25CF68C845BEDBBB2BF49310F14816AE809E7240DB759A86CF91
                                      Function 018A3848 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1168 18a3848-18a38dd 1170 18a38df-18a38e9 1168->1170 1171 18a3916-18a3936 1168->1171 1170->1171 1172 18a38eb-18a38ed 1170->1172 1178 18a3938-18a3942 1171->1178 1179 18a396f-18a399e 1171->1179 1173 18a38ef-18a38f9 1172->1173 1174 18a3910-18a3913 1172->1174 1176 18a38fb 1173->1176 1177 18a38fd-18a390c 1173->1177 1174->1171 1176->1177 1177->1177 1180 18a390e 1177->1180 1178->1179 1181 18a3944-18a3946 1178->1181 1185 18a39a0-18a39aa 1179->1185 1186 18a39d7-18a3a91 CreateProcessA 1179->1186 1180->1174 1183 18a3948-18a3952 1181->1183 1184 18a3969-18a396c 1181->1184 1187 18a3956-18a3965 1183->1187 1188 18a3954 1183->1188 1184->1179 1185->1186 1189 18a39ac-18a39ae 1185->1189 1199 18a3a9a-18a3b20 1186->1199 1200 18a3a93-18a3a99 1186->1200 1187->1187 1190 18a3967 1187->1190 1188->1187 1191 18a39b0-18a39ba 1189->1191 1192 18a39d1-18a39d4 1189->1192 1190->1184 1194 18a39be-18a39cd 1191->1194 1195 18a39bc 1191->1195 1192->1186 1194->1194 1196 18a39cf 1194->1196 1195->1194 1196->1192 1210 18a3b22-18a3b26 1199->1210 1211 18a3b30-18a3b34 1199->1211 1200->1199 1210->1211 1212 18a3b28 1210->1212 1213 18a3b36-18a3b3a 1211->1213 1214 18a3b44-18a3b48 1211->1214 1212->1211 1213->1214 1215 18a3b3c 1213->1215 1216 18a3b4a-18a3b4e 1214->1216 1217 18a3b58-18a3b5c 1214->1217 1215->1214 1216->1217 1220 18a3b50 1216->1220 1218 18a3b6e-18a3b75 1217->1218 1219 18a3b5e-18a3b64 1217->1219 1221 18a3b8c 1218->1221 1222 18a3b77-18a3b86 1218->1222 1219->1218 1220->1217 1224 18a3b8d 1221->1224 1222->1221 1224->1224
                                      APIs
                                      • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 018A3A7E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1267902620.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_18a0000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: CreateProcess
                                      • String ID:
                                      • API String ID: 963392458-0
                                      • Opcode ID: e07ac37a6f23705507a35772ba042ba1adf125480a85e622f36c1267191d0199
                                      • Instruction ID: 6c97b94bd9d2cd5bf129ecf508b467be54c57153a52cf4eaeb8c477cc8dcdeff
                                      • Opcode Fuzzy Hash: e07ac37a6f23705507a35772ba042ba1adf125480a85e622f36c1267191d0199
                                      • Instruction Fuzzy Hash: 82914A71D007199FEB25CF68C845BEDBBB2BF49310F14816AE809E7240DB759A86CF91
                                      Function 031EADA8 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1225 31eada8-31eadb7 1226 31eadb9-31eadc6 call 31ea0cc 1225->1226 1227 31eade3-31eade7 1225->1227 1234 31eaddc 1226->1234 1235 31eadc8 1226->1235 1229 31eadfb-31eae3c 1227->1229 1230 31eade9-31eadf3 1227->1230 1236 31eae3e-31eae46 1229->1236 1237 31eae49-31eae57 1229->1237 1230->1229 1234->1227 1281 31eadce call 31eb040 1235->1281 1282 31eadce call 31eb031 1235->1282 1236->1237 1238 31eae7b-31eae7d 1237->1238 1239 31eae59-31eae5e 1237->1239 1241 31eae80-31eae87 1238->1241 1242 31eae69 1239->1242 1243 31eae60-31eae67 call 31ea0d8 1239->1243 1240 31eadd4-31eadd6 1240->1234 1244 31eaf18-31eafd8 1240->1244 1247 31eae89-31eae91 1241->1247 1248 31eae94-31eae9b 1241->1248 1245 31eae6b-31eae79 1242->1245 1243->1245 1276 31eafda-31eafdd 1244->1276 1277 31eafe0-31eb00b GetModuleHandleW 1244->1277 1245->1241 1247->1248 1251 31eae9d-31eaea5 1248->1251 1252 31eaea8-31eaeaa call 31ea0e8 1248->1252 1251->1252 1254 31eaeaf-31eaeb1 1252->1254 1256 31eaebe-31eaec3 1254->1256 1257 31eaeb3-31eaebb 1254->1257 1258 31eaec5-31eaecc 1256->1258 1259 31eaee1-31eaeee 1256->1259 1257->1256 1258->1259 1261 31eaece-31eaede call 31ea0f8 call 31ea108 1258->1261 1266 31eaef0-31eaf0e 1259->1266 1267 31eaf11-31eaf17 1259->1267 1261->1259 1266->1267 1276->1277 1278 31eb00d-31eb013 1277->1278 1279 31eb014-31eb028 1277->1279 1278->1279 1281->1240 1282->1240
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 031EAFFE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1268250652.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_31e0000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: ef7ede18f740c3e3089b3272b85df1492fc25e6006121608c2302be6ab495d4b
                                      • Instruction ID: 2a750cda02099af86ac2dc398c5a1578a297d858f02a88456f5376beee672a74
                                      • Opcode Fuzzy Hash: ef7ede18f740c3e3089b3272b85df1492fc25e6006121608c2302be6ab495d4b
                                      • Instruction Fuzzy Hash: 76713570A00B058FDB24DF6AD45475ABBF5FF88200F04892DE48ADBB50DB76E849CB91
                                      Function 057918E4 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1283 57918e4-57918ee 1284 57918f0-57918f4 1283->1284 1285 57918f5-5791956 1283->1285 1284->1285 1286 5791958-579195e 1285->1286 1287 5791961-5791968 1285->1287 1286->1287 1288 579196a-5791970 1287->1288 1289 5791973-5791a12 CreateWindowExW 1287->1289 1288->1289 1291 5791a1b-5791a53 1289->1291 1292 5791a14-5791a1a 1289->1292 1296 5791a60 1291->1296 1297 5791a55-5791a58 1291->1297 1292->1291 1298 5791a61 1296->1298 1297->1296 1298->1298
                                      APIs
                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05791A02
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1276474084.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_5790000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: CreateWindow
                                      • String ID:
                                      • API String ID: 716092398-0
                                      • Opcode ID: c8c6956cbe56a81fb4695bbd07e2bc35d488d641b04dbda351c96192a2078841
                                      • Instruction ID: 4754f55e0502cfd71613cf8bf493602c6bdcff5e6a2168cbaae56e0303afe88b
                                      • Opcode Fuzzy Hash: c8c6956cbe56a81fb4695bbd07e2bc35d488d641b04dbda351c96192a2078841
                                      • Instruction Fuzzy Hash: FA51F2B1C003499FDF14CF99D884ADEBBB6FF48310F64812AE819AB210D7749945CFA1
                                      Function 057918F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1299 57918f0-5791956 1301 5791958-579195e 1299->1301 1302 5791961-5791968 1299->1302 1301->1302 1303 579196a-5791970 1302->1303 1304 5791973-5791a12 CreateWindowExW 1302->1304 1303->1304 1306 5791a1b-5791a53 1304->1306 1307 5791a14-5791a1a 1304->1307 1311 5791a60 1306->1311 1312 5791a55-5791a58 1306->1312 1307->1306 1313 5791a61 1311->1313 1312->1311 1313->1313
                                      APIs
                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05791A02
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1276474084.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_5790000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: CreateWindow
                                      • String ID:
                                      • API String ID: 716092398-0
                                      • Opcode ID: ca9eeb72bd04e552b12c3caf26a20176c15dc23c10f6992574e02aaa81ce7eba
                                      • Instruction ID: 8086cf81c4169193974f04835d690eac675538edcf7790e71fe68be05185ebd9
                                      • Opcode Fuzzy Hash: ca9eeb72bd04e552b12c3caf26a20176c15dc23c10f6992574e02aaa81ce7eba
                                      • Instruction Fuzzy Hash: 7941E0B1D003499FDF14CF9AD884ADEBBB5FF48310F64812AE819AB210D7749945CFA1
                                      Function 031E590C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1314 31e590c-31e5913 1315 31e5918-31e59d9 CreateActCtxA 1314->1315 1317 31e59db-31e59e1 1315->1317 1318 31e59e2-31e5a3c 1315->1318 1317->1318 1325 31e5a3e-31e5a41 1318->1325 1326 31e5a4b-31e5a4f 1318->1326 1325->1326 1327 31e5a60 1326->1327 1328 31e5a51-31e5a5d 1326->1328 1330 31e5a61 1327->1330 1328->1327 1330->1330
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 031E59C9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1268250652.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_31e0000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: 407825f3d16eb555afe476df7445ff861ae57bc5b90ae9a6454f30c350e605c2
                                      • Instruction ID: d5574e1d2d2e815a41a1a4c8253537e78fb3519d6a7db66ffdcfdd5aee9e1563
                                      • Opcode Fuzzy Hash: 407825f3d16eb555afe476df7445ff861ae57bc5b90ae9a6454f30c350e605c2
                                      • Instruction Fuzzy Hash: D941B171C00729CBDB24DFA9C884BDDBBF6BF49314F24805AD408AB251DB76A946CF90
                                      Function 031E44B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1331 31e44b4-31e59d9 CreateActCtxA 1334 31e59db-31e59e1 1331->1334 1335 31e59e2-31e5a3c 1331->1335 1334->1335 1342 31e5a3e-31e5a41 1335->1342 1343 31e5a4b-31e5a4f 1335->1343 1342->1343 1344 31e5a60 1343->1344 1345 31e5a51-31e5a5d 1343->1345 1347 31e5a61 1344->1347 1345->1344 1347->1347
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 031E59C9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1268250652.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_31e0000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: b7de12820988c06a972d2ed75c768ce6d0a2b51f009cf29563a2d1fa9890584d
                                      • Instruction ID: 344d221bbfac6e2ddae9130839ad64bd2302c2ea9570d04b9f45fe255ed74be6
                                      • Opcode Fuzzy Hash: b7de12820988c06a972d2ed75c768ce6d0a2b51f009cf29563a2d1fa9890584d
                                      • Instruction Fuzzy Hash: D0419071C00729CBDB24DFA9C884BDDBBF6BF49314F24806AD408AB251DB766946CF90
                                      Function 05794040 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                      Download Yara Rule
                                      APIs
                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 05794101
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1276474084.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_5790000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: CallProcWindow
                                      • String ID:
                                      • API String ID: 2714655100-0
                                      • Opcode ID: ede8381958961a679666794588216efa406a3e0f93e732128ec920e44d458958
                                      • Instruction ID: a8fd15e51e540cfb8d1b658040ba65f6099013a2a259f9de6563f712d5f9a761
                                      • Opcode Fuzzy Hash: ede8381958961a679666794588216efa406a3e0f93e732128ec920e44d458958
                                      • Instruction Fuzzy Hash: AC41F5B5910309CFDB18CF99D848AAABBF6FB88314F248459D519AB321D775A841CFA0
                                      Function 018A7DC0 Relevance: 1.6, APIs: 1, Instructions: 81windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 018A7D8D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1267902620.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_18a0000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: MessagePost
                                      • String ID:
                                      • API String ID: 410705778-0
                                      • Opcode ID: bb419934fa5d38501cc927a8013555a7ede223349ca090bc6089fc42ebf409f8
                                      • Instruction ID: 37cd2a39600c5e42a0eb01df35d10ed57b02437b08e0077122097c2eebba9875
                                      • Opcode Fuzzy Hash: bb419934fa5d38501cc927a8013555a7ede223349ca090bc6089fc42ebf409f8
                                      • Instruction Fuzzy Hash: 00317C72D003188FEB21DFA8D845BEEBBF5EF48710F108459DA45A7250D776AA40DBE0
                                      Function 018A3020 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 018A30A6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1267902620.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_18a0000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ContextThreadWow64
                                      • String ID:
                                      • API String ID: 983334009-0
                                      • Opcode ID: 1070eb57e4a218a2617216f3cf62c0fbd6e2363df3bf5456c9a9be9184741a48
                                      • Instruction ID: 6f88b0c1e2da085eee219e9008137da6afe3e56c484e293f2a2466ba906bade6
                                      • Opcode Fuzzy Hash: 1070eb57e4a218a2617216f3cf62c0fbd6e2363df3bf5456c9a9be9184741a48
                                      • Instruction Fuzzy Hash: CF2189758003489FDB10DFAAC4407EEBBF4EF49314F10802ED959AB241DA799A45CFA0
                                      Function 018A31B9 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 018A3250
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1267902620.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_18a0000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: MemoryProcessWrite
                                      • String ID:
                                      • API String ID: 3559483778-0
                                      • Opcode ID: 2eb2250128ba2a2f606b04d1be6fedfd0b6e8bcfe1e7457f8a1129500a873eef
                                      • Instruction ID: 846a3b858a336b3c0a902d2c929054c26add59edefea970f7c6abf1f51ae9b59
                                      • Opcode Fuzzy Hash: 2eb2250128ba2a2f606b04d1be6fedfd0b6e8bcfe1e7457f8a1129500a873eef
                                      • Instruction Fuzzy Hash: 8B2135719003499FDF10CFAAC884BDEBBF5FF48310F50842AE959A7240CB799A45CBA4
                                      Function 018A31C0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 018A3250
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1267902620.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_18a0000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: MemoryProcessWrite
                                      • String ID:
                                      • API String ID: 3559483778-0
                                      • Opcode ID: 426e5f6c1861a6161c9df55b491fe142394bca0fb4a45d1534e7d8b85fcc1555
                                      • Instruction ID: f1c2a9baf1cab1e5b0e43b9a2db4ee417581db2f2deaff58ef56f69f368f6bd3
                                      • Opcode Fuzzy Hash: 426e5f6c1861a6161c9df55b491fe142394bca0fb4a45d1534e7d8b85fcc1555
                                      • Instruction Fuzzy Hash: 162125759003499FDF14CFAAC884BDEBBF5FF48310F10842AE958A7240CB789A44CBA4
                                      Function 031ED27C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                      Download Yara Rule
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,031ED656,?,?,?,?,?), ref: 031ED717
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1268250652.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_31e0000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: 87beff8cb8535a3d0754358d52cab1832e8a3f7990aee8d3c84123eff496c075
                                      • Instruction ID: e8cfca8f371106c0492bec3e6e90a80462bed50516d24340b0f8a000cb523b6f
                                      • Opcode Fuzzy Hash: 87beff8cb8535a3d0754358d52cab1832e8a3f7990aee8d3c84123eff496c075
                                      • Instruction Fuzzy Hash: 712103B5D002489FDB10CFAAD484AEEBBF8EB48314F14801AE918A7350C379A954CFA5
                                      Function 018A32A8 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                      Download Yara Rule
                                      APIs
                                      • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 018A3330
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1267902620.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_18a0000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: MemoryProcessRead
                                      • String ID:
                                      • API String ID: 1726664587-0
                                      • Opcode ID: 01af9f1a3b48b2bbc3b30f1066faed92a6ed2655f5bc9cce285e48c9a8650a59
                                      • Instruction ID: 4f0c651b622c6b6a7fb334cd114bbdc6550322807e5b3e5cb9ade3148242b6e0
                                      • Opcode Fuzzy Hash: 01af9f1a3b48b2bbc3b30f1066faed92a6ed2655f5bc9cce285e48c9a8650a59
                                      • Instruction Fuzzy Hash: C7212571C002499FDB14DFAAC884BEEBBF1FF48310F10842EE919A7250CB399941CBA0
                                      Function 031ED689 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                      Download Yara Rule
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,031ED656,?,?,?,?,?), ref: 031ED717
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1268250652.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_31e0000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: b480f4c7668a06c27cf1d0b167e7681d1c76641fe1548f521051b2b1405dbe64
                                      • Instruction ID: 329b0255c0440f6a4ffc6ccf2be965ff5c9b50bf56c958f28694c334b393b763
                                      • Opcode Fuzzy Hash: b480f4c7668a06c27cf1d0b167e7681d1c76641fe1548f521051b2b1405dbe64
                                      • Instruction Fuzzy Hash: 112114B5D002489FDB10CFAAD484ADEFBF9FB48314F14801AE918A3310C379A950CFA4
                                      Function 018A3028 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 018A30A6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1267902620.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_18a0000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ContextThreadWow64
                                      • String ID:
                                      • API String ID: 983334009-0
                                      • Opcode ID: f8dd6543e088ae4e6efcabd71a58a7c7ac5fa750183d453c9802f8445964178d
                                      • Instruction ID: f3b9826c384c68e2aea458e3edee4e66fcdc759cd10da80df82cc04a72bbe796
                                      • Opcode Fuzzy Hash: f8dd6543e088ae4e6efcabd71a58a7c7ac5fa750183d453c9802f8445964178d
                                      • Instruction Fuzzy Hash: 04212571D003089FEB14DFAAC484BAEBBF4EF48314F54842ED959A7240CB789A44CFA5
                                      Function 018A32B0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                      Download Yara Rule
                                      APIs
                                      • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 018A3330
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1267902620.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_18a0000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: MemoryProcessRead
                                      • String ID:
                                      • API String ID: 1726664587-0
                                      • Opcode ID: 4ddb180876337ccc8d2a1593630c75353599eb3bebde45a3b92ce3b7a553cfa5
                                      • Instruction ID: d8c2b266b95d79e765c4cc3dd34129819bd98adcab4d1bc27bf61fe6780fb695
                                      • Opcode Fuzzy Hash: 4ddb180876337ccc8d2a1593630c75353599eb3bebde45a3b92ce3b7a553cfa5
                                      • Instruction Fuzzy Hash: B82103718003499FDB14CFAAD880AEEBBF5FF48310F50842AE958A7240CB7999448BA4
                                      Function 018A30F9 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 018A316E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1267902620.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_18a0000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: e833177662394e4ad62eb8b76a00ef9fc0a379a8d41a0e4a0f9229f272a869ad
                                      • Instruction ID: d32bbc8426324ea01bcdc32cf6f0ccb0d879163c0ac6149e28000b31e2b37917
                                      • Opcode Fuzzy Hash: e833177662394e4ad62eb8b76a00ef9fc0a379a8d41a0e4a0f9229f272a869ad
                                      • Instruction Fuzzy Hash: 7B2156718003489FDB21CFAAC804BDEBBF5EF48314F14841EE919A7250CB39A940CFA5
                                      Function 0E5526EB Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualProtect.KERNEL32(?,?,?,?), ref: 0E552763
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1288593140.000000000E550000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E550000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e550000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID:
                                      • API String ID: 544645111-0
                                      • Opcode ID: 97b950618231d554c5fb0cd157283365b275776a4c991294259af3678a2fb23a
                                      • Instruction ID: dc4aa4133767e3d1f714878684d6d21d62226e554a91f445097d8b62476fc434
                                      • Opcode Fuzzy Hash: 97b950618231d554c5fb0cd157283365b275776a4c991294259af3678a2fb23a
                                      • Instruction Fuzzy Hash: 7821D6769002499FDB10DF9AC584BDEFBF4FB48310F14842AE958A7250D778A944CFA5
                                      Function 0E5526F0 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualProtect.KERNEL32(?,?,?,?), ref: 0E552763
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1288593140.000000000E550000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E550000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e550000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID:
                                      • API String ID: 544645111-0
                                      • Opcode ID: 3553aec41d8235ca4f88943802c2e6809364b250757c22e8ef592f69d5e0ac81
                                      • Instruction ID: 17d8130ae6917ee200e4fc2574a5f2ff811d5c2b7e06a6f7305a3b9c950fc184
                                      • Opcode Fuzzy Hash: 3553aec41d8235ca4f88943802c2e6809364b250757c22e8ef592f69d5e0ac81
                                      • Instruction Fuzzy Hash: 4C21E7759002499FDB10CF9AC584BDEFBF4FB48310F10842AE958A7250D778A944CFA5
                                      Function 031EA130 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,031EB079,00000800,00000000,00000000), ref: 031EB28A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1268250652.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_31e0000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: 3a4b323de47d01592f5f1d0101b71ddf85b1f2dbb9f6fc3d3ff86d740fcb8116
                                      • Instruction ID: 8aec879e7f5a0d00e9b81702d8aa2778038e8e55798b1394cf082a5a5f13b33d
                                      • Opcode Fuzzy Hash: 3a4b323de47d01592f5f1d0101b71ddf85b1f2dbb9f6fc3d3ff86d740fcb8116
                                      • Instruction Fuzzy Hash: BD1103B68046098FDB20CF9AC444B9EFBF4EB48310F14842AE419A7210C779A945CFA5
                                      Function 031EB219 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,031EB079,00000800,00000000,00000000), ref: 031EB28A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1268250652.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_31e0000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: 0ab7ad51ddaad0deecede8840e32e1ac10628c7cbde7dc50d62af44807e0b011
                                      • Instruction ID: d10fe803da7799808a69b7487baa2711cc14929319813ca0a6f015cbb25dd840
                                      • Opcode Fuzzy Hash: 0ab7ad51ddaad0deecede8840e32e1ac10628c7cbde7dc50d62af44807e0b011
                                      • Instruction Fuzzy Hash: 551112B6C042098FDB20CF9AC844BDEFBF4EB48310F14842AE819A7600C779A545CFA5
                                      Function 018A3100 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 018A316E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1267902620.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_18a0000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: cd496f9f2d586eb3060f8bf75344d8c52be61b0662942a0c4184c3f881aa3663
                                      • Instruction ID: 43b526dfe67039c9ad658289fb16941acbf30e98082ff5e4521714eb7b40e299
                                      • Opcode Fuzzy Hash: cd496f9f2d586eb3060f8bf75344d8c52be61b0662942a0c4184c3f881aa3663
                                      • Instruction Fuzzy Hash: BA1126759003489FDB24DFAAC844BDEBBF5EF48314F14841AE919A7250CB79A944CFA4
                                      Function 018A2F78 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1267902620.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_18a0000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ResumeThread
                                      • String ID:
                                      • API String ID: 947044025-0
                                      • Opcode ID: ea7372dbaae0f386fe1f83d97431e853b082071a9a8c833e90e6214db524a979
                                      • Instruction ID: c80ddc8d79ef5eaf72634f67d9bf445081e7a0941fe57aa80bcd3694999bfb39
                                      • Opcode Fuzzy Hash: ea7372dbaae0f386fe1f83d97431e853b082071a9a8c833e90e6214db524a979
                                      • Instruction Fuzzy Hash: BB1116719003488FDB24DFAAC444B9EBBF9EB48214F14841AD519A7240CA79A9448BA5
                                      Function 018A2F70 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1267902620.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_18a0000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ResumeThread
                                      • String ID:
                                      • API String ID: 947044025-0
                                      • Opcode ID: 54001a4fafd6b58aa3a55307375f80ca3f46b948fd079908f632cdf22bcc7dc6
                                      • Instruction ID: 5286f5d9853abcc30cef0b71ce2ae7e5d264134b4a353a5585f39d9b4258d115
                                      • Opcode Fuzzy Hash: 54001a4fafd6b58aa3a55307375f80ca3f46b948fd079908f632cdf22bcc7dc6
                                      • Instruction Fuzzy Hash: 751164719002488FEB24CFAAC444BAEBBF5EF48314F14841ED419A7240CA79A940CBA4
                                      Function 018A3570 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 018A7D8D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1267902620.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_18a0000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: MessagePost
                                      • String ID:
                                      • API String ID: 410705778-0
                                      • Opcode ID: b1f79a6021d2fed1049b2db1fab4cc2d9367529236eba2083dceb03af29432ae
                                      • Instruction ID: 6bb5d23ce92b73d08b4c2385b9047a2c6d6b2042dae8ea0db63cec309fc3bf40
                                      • Opcode Fuzzy Hash: b1f79a6021d2fed1049b2db1fab4cc2d9367529236eba2083dceb03af29432ae
                                      • Instruction Fuzzy Hash: 9911F5B58003489FDB10DF9AC444BEEBBF8EB48314F108419E554A7200C379AA44CFE5
                                      Function 031EAF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 031EAFFE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1268250652.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_31e0000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: dc639c378316bcddb8d0fa4b811cbd8f8c7ce95ac13a90dfa8f71ea6a74a27c4
                                      • Instruction ID: d6ff5142897babaacd1b374c4da31e2fb83c73f4f7bd626bf25ad2f990c4fbd1
                                      • Opcode Fuzzy Hash: dc639c378316bcddb8d0fa4b811cbd8f8c7ce95ac13a90dfa8f71ea6a74a27c4
                                      • Instruction Fuzzy Hash: 261110B6C046498FCB20CF9AC444BDEFBF4EF88324F14841AD428A7610C37AA545CFA1
                                      Function 018A7D2C Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 018A7D8D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1267902620.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_18a0000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: MessagePost
                                      • String ID:
                                      • API String ID: 410705778-0
                                      • Opcode ID: 1dc85a53745f1904d891bd01445c08f03e83d21e8c28ee42f5881206392ed6ac
                                      • Instruction ID: 19df90f65d177564cea0a9e4a83c2e78536aa459d5f937bc27053827c2274a88
                                      • Opcode Fuzzy Hash: 1dc85a53745f1904d891bd01445c08f03e83d21e8c28ee42f5881206392ed6ac
                                      • Instruction Fuzzy Hash: 4711E5B58003499FDB20DF9AD845BDEBBF9FB48314F10841AD558A7610C379AA44CFA1
                                      Function 016BD4C4 Relevance: .1, Instructions: 75COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1267099529.00000000016BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016BD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_16bd000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dc58b847503da0eb333570cc5aa317dba7f3caf06c341b9e3d5e92702d2d57f1
                                      • Instruction ID: 6e68baafc54d0156c0551e727fb9db24bd249fff812d71d4ce3a58a8e2958b17
                                      • Opcode Fuzzy Hash: dc58b847503da0eb333570cc5aa317dba7f3caf06c341b9e3d5e92702d2d57f1
                                      • Instruction Fuzzy Hash: 4E21FFB2500244EFDB15DF94D9C0B66BF65FB8831CF20C569E9090F256C33AD496CBA2
                                      Function 016BD3D8 Relevance: .1, Instructions: 75COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1267099529.00000000016BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016BD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_16bd000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8be22f651bf242faa619e23990ec81547a33e220f7cb2df7bad28be717521491
                                      • Instruction ID: b79f04e1733a60515aad4b20437bdd368cf271a4a9c75101b256bd7c027f1913
                                      • Opcode Fuzzy Hash: 8be22f651bf242faa619e23990ec81547a33e220f7cb2df7bad28be717521491
                                      • Instruction Fuzzy Hash: 2F210371501204DFDB15DF94D9C0B9ABB65FB88328F20C569E90A0F256C33AE496CBA2
                                      Function 017DD01C Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1267290597.00000000017DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017DD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_17dd000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d9735efc9a9de56827a78c4cd01849ec6615a03bc7f09fc1caa100d77401aed3
                                      • Instruction ID: c50210d18fba342bb4aae4900446a38a8cff59a01ba97f6f0b771547eb104acf
                                      • Opcode Fuzzy Hash: d9735efc9a9de56827a78c4cd01849ec6615a03bc7f09fc1caa100d77401aed3
                                      • Instruction Fuzzy Hash: BF21D071604308DFDB25DFA4D9C4B16FB75EB88314F24C5ADD90A4B296C33AD447CA62
                                      Function 017DD1D4 Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1267290597.00000000017DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017DD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_17dd000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 20ed8d1f6a8070842b1cef046af12fbce6775271a8e2bc6d18286755242794ae
                                      • Instruction ID: c667dc25f4bd0913f8f859f2c674f3c002aaa8a3f693291d2709be04977778c3
                                      • Opcode Fuzzy Hash: 20ed8d1f6a8070842b1cef046af12fbce6775271a8e2bc6d18286755242794ae
                                      • Instruction Fuzzy Hash: 0321B371508208AFDB25DF94D9C0B25FB75FB84324F24C5ADD9494B692C336E446CA61
                                      Function 017DD005 Relevance: .1, Instructions: 63COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1267290597.00000000017DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017DD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_17dd000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 223da845f36586011f6177e43f4bb79f18f0317460175267c3c5afea009b904d
                                      • Instruction ID: 132f0513962018846062328aa1d6bd6fbb9f4c2635992f027e570f648327ac34
                                      • Opcode Fuzzy Hash: 223da845f36586011f6177e43f4bb79f18f0317460175267c3c5afea009b904d
                                      • Instruction Fuzzy Hash: 862180755083849FCB12CF64D994711BF71EB86214F28C5EAD8498F6A7C33A9806CB62
                                      Function 016BD4BF Relevance: .1, Instructions: 56COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1267099529.00000000016BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016BD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_16bd000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5f425b5cd1c464f0a4a5253a28fe3054bde847c9d27b32d63737858cb099eba0
                                      • Instruction ID: 3960710d26b62cc735fd6e0767f91419d02b2d7b320b8b43138f715649ad8710
                                      • Opcode Fuzzy Hash: 5f425b5cd1c464f0a4a5253a28fe3054bde847c9d27b32d63737858cb099eba0
                                      • Instruction Fuzzy Hash: AB11CD72404280CFCB12CF54D9C0B56BF61FB84318F24C6A9D8490F656C33AD456CBA1
                                      Function 016BD3D3 Relevance: .1, Instructions: 56COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1267099529.00000000016BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016BD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_16bd000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5f425b5cd1c464f0a4a5253a28fe3054bde847c9d27b32d63737858cb099eba0
                                      • Instruction ID: 3dd4a7405c54ce4535b662a8f67163eeaa0632f114b19462278ee9ce269bbf4c
                                      • Opcode Fuzzy Hash: 5f425b5cd1c464f0a4a5253a28fe3054bde847c9d27b32d63737858cb099eba0
                                      • Instruction Fuzzy Hash: 3711CD72404240DFCB12CF44D9C0B96BF61FB84328F2486A9D9090F657C33AE45ACBA2
                                      Function 017DD1CF Relevance: .1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1267290597.00000000017DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017DD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_17dd000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6f5963e13be94118601ce8c0c816b14e795ac28cdb338ecf6f134e886058e23b
                                      • Instruction ID: 93a0d508436fcca91297848571a7063c394620254aacca65dfd632313b572de8
                                      • Opcode Fuzzy Hash: 6f5963e13be94118601ce8c0c816b14e795ac28cdb338ecf6f134e886058e23b
                                      • Instruction Fuzzy Hash: 4711BB75508284DFCB22CF54D6C0B15FFB1FB84324F24C6AAD8494B696C33AE40ACB61
                                      Function 016BD759 Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1267099529.00000000016BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016BD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_16bd000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 67e57099733352015ce46a379376818d043c4ecfffeb96d65e50f4860a2717f6
                                      • Instruction ID: af957b436eb9c34b9a25e3f52c827a4c0787a196f7f5e27b63baab44e2918ee1
                                      • Opcode Fuzzy Hash: 67e57099733352015ce46a379376818d043c4ecfffeb96d65e50f4860a2717f6
                                      • Instruction Fuzzy Hash: 8201F731004380AEE7204A95CCC4BF6BBE8DF41228F18842AED090E282C3799881CBB2
                                      Function 016BD758 Relevance: .0, Instructions: 36COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1267099529.00000000016BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016BD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_16bd000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c844754129e36565b14fd25d0e624530ef4d95cd7f602bc9e06fd55dcaa2d03a
                                      • Instruction ID: d30d606db93bca7dfda92c440e0e39516ce10ee3bd89f3c852c37271a2062d91
                                      • Opcode Fuzzy Hash: c844754129e36565b14fd25d0e624530ef4d95cd7f602bc9e06fd55dcaa2d03a
                                      • Instruction Fuzzy Hash: 02F0C2710043849EE7208A0ACCC4BA2FFA8EF41624F18C45AED080F386C3799840CBB1

                                      Non-executed Functions

                                      Function 05799947 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1276474084.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_5790000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: l
                                      • API String ID: 0-2517025534
                                      • Opcode ID: 43c225e3880dcc6ba1a10fce9d00db23dc8453051c39742acce2ea557e0d0c13
                                      • Instruction ID: 61f46e9c3984d524bffcfe31bef0c9f6ae6b92034ccd1e8b6d8bee3021a040f1
                                      • Opcode Fuzzy Hash: 43c225e3880dcc6ba1a10fce9d00db23dc8453051c39742acce2ea557e0d0c13
                                      • Instruction Fuzzy Hash: 6D110E3290D60A5BDB364958AC867CCFAB4DBA46F0F55061CD181DFADCE728C442C211
                                      Function 05790040 Relevance: .3, Instructions: 315COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1276474084.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_5790000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bb21404e71de3e77f08bf3009c6ffe3bd1b22fca42571d3af3a3d22da692c4dc
                                      • Instruction ID: f0dc278d51f267f128fb0f556390d67d6927772f5d536295c7e5d2b3f2ce86e0
                                      • Opcode Fuzzy Hash: bb21404e71de3e77f08bf3009c6ffe3bd1b22fca42571d3af3a3d22da692c4dc
                                      • Instruction Fuzzy Hash: BB12A9B0C2374D8AD310CF65E84E1893F71BBA5339B506A09E1625BAE1DFB4154ACF78
                                      Function 018A0838 Relevance: .3, Instructions: 312COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1267902620.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_18a0000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 39b4cc613726ee4ae0dcf8c34954f9eb4f76d422a9f0122a7eb1670ae3d67627
                                      • Instruction ID: e9d5ab6662b1bb9572fbe08481579eb43371f09efe09df933e20f8f30dd92b0e
                                      • Opcode Fuzzy Hash: 39b4cc613726ee4ae0dcf8c34954f9eb4f76d422a9f0122a7eb1670ae3d67627
                                      • Instruction Fuzzy Hash: 50E11E74E002598FDB14CFA9C5849AEFBB2FF89304F648159E514AB356DB31AE42CF60
                                      Function 018A4830 Relevance: .3, Instructions: 312COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1267902620.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_18a0000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7afdece4230acd82a4305c70ea67a326e045528ca4fe1dea50cf6ea00d2665d9
                                      • Instruction ID: fcd5947af92171b6e05d5759056ac43ec358d3c5a54764f4d952896e062a1bcc
                                      • Opcode Fuzzy Hash: 7afdece4230acd82a4305c70ea67a326e045528ca4fe1dea50cf6ea00d2665d9
                                      • Instruction Fuzzy Hash: F8E10C74E002598FDB14CF98C584AADFBB2FF89304F648169D514AB356DB74AE42CF60
                                      Function 018A2318 Relevance: .3, Instructions: 312COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1267902620.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_18a0000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c238bd706e658a8b9994160798318c288b6bec5a3192aaa9d1a9630e8c49d5bc
                                      • Instruction ID: 24254f6a434775044192cde2faa5951263ac6f962a6276fecaafd38236433671
                                      • Opcode Fuzzy Hash: c238bd706e658a8b9994160798318c288b6bec5a3192aaa9d1a9630e8c49d5bc
                                      • Instruction Fuzzy Hash: 15E10974E002598FDB14CFA9C584AAEFBB2FF89304F648169D554AB356DB309E42CF60
                                      Function 018A0C70 Relevance: .3, Instructions: 312COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1267902620.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_18a0000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 88099fbd94837ec6cb1fd58cb9da2da12ca0d77b8efdd5edd668f0e4cf4fa0c9
                                      • Instruction ID: 4d70fb7ab16afa124d59efa8a6a18815a65b98e5d6cfb448aab34d32dcbe6e2d
                                      • Opcode Fuzzy Hash: 88099fbd94837ec6cb1fd58cb9da2da12ca0d77b8efdd5edd668f0e4cf4fa0c9
                                      • Instruction Fuzzy Hash: 62E10C74E002598FDB14CF98C5849AEFBB2FF89304F648169E514AB356DB31AD42DF60
                                      Function 018A2750 Relevance: .3, Instructions: 312COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1267902620.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_18a0000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 31805b5c3ee55df0e42857c5b196a34b99dde402e97486d1feecd3c9a1e64043
                                      • Instruction ID: 34f2047ae50922b0bbb1f09b3e4516e2d069bec8ad53d8f0834c14985d704b11
                                      • Opcode Fuzzy Hash: 31805b5c3ee55df0e42857c5b196a34b99dde402e97486d1feecd3c9a1e64043
                                      • Instruction Fuzzy Hash: 3CE1FD74E002598FDB14DF99C584AAEFBB2FF89304F648169D514AB356DB30AE42CF60
                                      Function 0E558C8F Relevance: .3, Instructions: 284COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1288593140.000000000E550000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E550000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e550000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 788f0ff400aa6ef79c12a4f481fea0be2b0cf9ef28c4cabfcfa6265be82a5f95
                                      • Instruction ID: 52f16b623abe9cfb85a6c5153a8467a8c08eb5c5068962f2b49aca2244a0c629
                                      • Opcode Fuzzy Hash: 788f0ff400aa6ef79c12a4f481fea0be2b0cf9ef28c4cabfcfa6265be82a5f95
                                      • Instruction Fuzzy Hash: F5E13835D2075A8ACB10EF64D8A4A9DB7B1FFA5300F51C79AD1093B220EF706AC5CB91
                                      Function 0E558CC8 Relevance: .3, Instructions: 264COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1288593140.000000000E550000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E550000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e550000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9e74f8cccbafc4c22ef6189c1959585b9e517b3453803181ac0549f3af77363b
                                      • Instruction ID: f68328abcc14d523f1169f42ea9b85b4f8b41cd3613f5f848417ccef85eb235d
                                      • Opcode Fuzzy Hash: 9e74f8cccbafc4c22ef6189c1959585b9e517b3453803181ac0549f3af77363b
                                      • Instruction Fuzzy Hash: 83D11835D2075A8ACB11EF64D8A4A9DB7B1FFA5300F51C79AD1093B220EF706AC5CB91
                                      Function 031ED5BC Relevance: .3, Instructions: 264COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1268250652.00000000031E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_31e0000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b761e6653bb92448e4a89457981129c16d0d8f8a8fe2e86d9ff4090784b6b606
                                      • Instruction ID: e22a149700385b8fd2d459b55a286a6086133e640d7c2b3a31c049b40355099c
                                      • Opcode Fuzzy Hash: b761e6653bb92448e4a89457981129c16d0d8f8a8fe2e86d9ff4090784b6b606
                                      • Instruction Fuzzy Hash: 42A15F36E107098FCF19DFB4C84459EB7B2FF89300B16856AE805AF265DB32E956CB40
                                      Function 05790007 Relevance: .2, Instructions: 243COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1276474084.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_5790000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 81c2a128ee3090dfecf64ddb87fe0fbeff1343b4320eed64615a6e6dc9429319
                                      • Instruction ID: 706016fe965083f2109e7979e4cb2dac1da8d91948aa829858f598c257e78251
                                      • Opcode Fuzzy Hash: 81c2a128ee3090dfecf64ddb87fe0fbeff1343b4320eed64615a6e6dc9429319
                                      • Instruction Fuzzy Hash: 90D11DB0C2374D8BD710CF28E84A1897FB1BBA5335B546A09E1526BAE1DFB41446CF78
                                      Function 057957C7 Relevance: .2, Instructions: 192COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1276474084.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_5790000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 775db6c9382854b26f56a48e7d34b94eb3ce73a7d1602c6b295d9e33cb6e7324
                                      • Instruction ID: 11db535f6b03b8b45091f65fca03ab59f4d8415bb1f7c303aa11042a7d1c0ebd
                                      • Opcode Fuzzy Hash: 775db6c9382854b26f56a48e7d34b94eb3ce73a7d1602c6b295d9e33cb6e7324
                                      • Instruction Fuzzy Hash: CF717E75A00359CFCF0ADFA4D8899EDBBB2BF89300B244169D405AF261EB70AD45DB60
                                      Function 0E5543B8 Relevance: .1, Instructions: 142COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1288593140.000000000E550000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E550000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e550000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8635665a953572dd825ee3723537f9a43859e282f7bf43293d06488e973a8368
                                      • Instruction ID: 47a6395289bc19018ddca602fd5fced689685860a0159fbc08304efc84724102
                                      • Opcode Fuzzy Hash: 8635665a953572dd825ee3723537f9a43859e282f7bf43293d06488e973a8368
                                      • Instruction Fuzzy Hash: 3D513C75E012298FDB14DF69D990AAEFBF2FB89200F14C46AD809A7315DB309D81CF60
                                      Function 0E5543A8 Relevance: .1, Instructions: 134COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1288593140.000000000E550000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E550000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e550000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9e8d5ae27fc5f6eb00b45248dbdb52e880c1e106b2861c2b33fc9be534e9a430
                                      • Instruction ID: 13f82e2ee8babaaa72dd980a453a0c7a63f5ef92cbff018765b988ea21c2733c
                                      • Opcode Fuzzy Hash: 9e8d5ae27fc5f6eb00b45248dbdb52e880c1e106b2861c2b33fc9be534e9a430
                                      • Instruction Fuzzy Hash: DB513C74E012658FDB14CF69D990BAEBBF2BB89200F14C5AAD809A7315DB309D81CF60
                                      Function 018A4821 Relevance: .1, Instructions: 133COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1267902620.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_18a0000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 99ecd3c949cd25af5e422ed6f68c8ab5dfae2480de2772a63fbe12568b5f3293
                                      • Instruction ID: df7f11ed06053bf44beb9056344a6c4b5bf20acec8efe849edb899b640c3cd02
                                      • Opcode Fuzzy Hash: 99ecd3c949cd25af5e422ed6f68c8ab5dfae2480de2772a63fbe12568b5f3293
                                      • Instruction Fuzzy Hash: 4F512E74E002598FDB14CFA9C5845AEFBF2FF89304F6881AAD418AB356D7345A42CF61
                                      Function 018A2309 Relevance: .1, Instructions: 133COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1267902620.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_18a0000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 82a9f8b755e79f0cd3f953fb5eefcf625acbd7dd9f769e084efdb1638a0ea0f9
                                      • Instruction ID: 392829a72cb6bc626649ae270c30dda4a76dd0e52b12d668ea6aa7f8f93f2316
                                      • Opcode Fuzzy Hash: 82a9f8b755e79f0cd3f953fb5eefcf625acbd7dd9f769e084efdb1638a0ea0f9
                                      • Instruction Fuzzy Hash: F7510E74E002598FDB14CFA9C5845AEFBF2FF89304F2481AAD518AB316D7355A42CFA0
                                      Function 018A0C69 Relevance: .1, Instructions: 129COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1267902620.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_18a0000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c303edae9e0fe260337499730823324894e3f6d3bef5f754103ada6cdcd02260
                                      • Instruction ID: ca306237d5e24a94cc98115af892113ddd293c6790397aed6b2ded7b8d621162
                                      • Opcode Fuzzy Hash: c303edae9e0fe260337499730823324894e3f6d3bef5f754103ada6cdcd02260
                                      • Instruction Fuzzy Hash: 4E51FD75E002198FDB14CFA9C5445AEFBF2FF89304F648169D518AB315DB359A42CFA0
                                      Function 018A274D Relevance: .1, Instructions: 128COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1267902620.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_18a0000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 057b1f643a646dcbdf8ae9ef7e9b8fe6bea814adf3c03d39a8688d1a960f5444
                                      • Instruction ID: 5fec67d8810b253fda2a83e2b46293780b9b750799da8ab8dff6ed6c8954187a
                                      • Opcode Fuzzy Hash: 057b1f643a646dcbdf8ae9ef7e9b8fe6bea814adf3c03d39a8688d1a960f5444
                                      • Instruction Fuzzy Hash: 4851EC74E002198FDB14CFA9C5845AEFBF2FF89314F64816AE418AB355DB319A42CF60
                                      Function 0E550006 Relevance: .1, Instructions: 122COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1288593140.000000000E550000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E550000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e550000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1910f2185ecb5935965ddaae401d16af45281a15eac1ecb8a77144be51d433ef
                                      • Instruction ID: d6902e6d983f4b72dfd398ca00277693b5d5eeaddf020c5b2f72e4d6122ad859
                                      • Opcode Fuzzy Hash: 1910f2185ecb5935965ddaae401d16af45281a15eac1ecb8a77144be51d433ef
                                      • Instruction Fuzzy Hash: 8A519BB1D057588FEB19CF6B8D5469AFBF3AFC9200F05C1BAD44CAA265EB3409458F11
                                      Function 0E550040 Relevance: .1, Instructions: 106COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1288593140.000000000E550000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E550000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_e550000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4f9550dbc14e8ac3e588b8fb4544f156d6023d2deb762814b1685d20ffb97ee4
                                      • Instruction ID: 486363a851a27837b0c11c7ff2ef19eaa3609ce68b20a3a9ecbde29f89fad635
                                      • Opcode Fuzzy Hash: 4f9550dbc14e8ac3e588b8fb4544f156d6023d2deb762814b1685d20ffb97ee4
                                      • Instruction Fuzzy Hash: 98415B75E116188BEB18CF6B8D5469EFBF7BFC9300F14C5BA850CA6225EB300A858F51

                                      Execution Graph

                                      Execution Coverage:2.6%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:2.6%
                                      Total number of Nodes:1668
                                      Total number of Limit Nodes:5
                                      execution_graph 6511 10008640 6514 10008657 6511->6514 6515 10008665 6514->6515 6516 10008679 6514->6516 6519 10006368 _free 20 API calls 6515->6519 6517 10008681 6516->6517 6518 10008693 6516->6518 6521 10006368 _free 20 API calls 6517->6521 6525 10008652 6518->6525 6527 100054a7 6518->6527 6520 1000866a 6519->6520 6522 100062ac _abort 26 API calls 6520->6522 6523 10008686 6521->6523 6522->6525 6526 100062ac _abort 26 API calls 6523->6526 6526->6525 6528 100054ba 6527->6528 6529 100054c4 6527->6529 6528->6525 6529->6528 6530 10005af6 _abort 38 API calls 6529->6530 6531 100054e5 6530->6531 6535 10007a00 6531->6535 6536 10007a13 6535->6536 6537 100054fe 6535->6537 6536->6537 6543 10007f0f 6536->6543 6539 10007a2d 6537->6539 6540 10007a40 6539->6540 6541 10007a55 6539->6541 6540->6541 6678 10006d7e 6540->6678 6541->6528 6544 10007f1b ___DestructExceptionObject 6543->6544 6545 10005af6 _abort 38 API calls 6544->6545 6546 10007f24 6545->6546 6547 10007f72 _abort 6546->6547 6555 10005671 RtlEnterCriticalSection 6546->6555 6547->6537 6549 10007f42 6556 10007f86 6549->6556 6554 100055a8 _abort 38 API calls 6554->6547 6555->6549 6557 10007f56 6556->6557 6558 10007f94 __fassign 6556->6558 6560 10007f75 6557->6560 6558->6557 6563 10007cc2 6558->6563 6677 100056b9 RtlLeaveCriticalSection 6560->6677 6562 10007f69 6562->6547 6562->6554 6564 10007d42 6563->6564 6567 10007cd8 6563->6567 6565 10007d90 6564->6565 6568 1000571e _free 20 API calls 6564->6568 6631 10007e35 6565->6631 6567->6564 6569 10007d0b 6567->6569 6574 1000571e _free 20 API calls 6567->6574 6570 10007d64 6568->6570 6571 10007d2d 6569->6571 6576 1000571e _free 20 API calls 6569->6576 6572 1000571e _free 20 API calls 6570->6572 6573 1000571e _free 20 API calls 6571->6573 6575 10007d77 6572->6575 6578 10007d37 6573->6578 6580 10007d00 6574->6580 6577 1000571e _free 20 API calls 6575->6577 6582 10007d22 6576->6582 6583 10007d85 6577->6583 6584 1000571e _free 20 API calls 6578->6584 6579 10007dfe 6585 1000571e _free 20 API calls 6579->6585 6591 100090ba 6580->6591 6581 10007d9e 6581->6579 6589 1000571e 20 API calls _free 6581->6589 6619 100091b8 6582->6619 6588 1000571e _free 20 API calls 6583->6588 6584->6564 6590 10007e04 6585->6590 6588->6565 6589->6581 6590->6557 6592 100090cb 6591->6592 6618 100091b4 6591->6618 6593 100090dc 6592->6593 6594 1000571e _free 20 API calls 6592->6594 6595 100090ee 6593->6595 6597 1000571e _free 20 API calls 6593->6597 6594->6593 6596 10009100 6595->6596 6598 1000571e _free 20 API calls 6595->6598 6599 10009112 6596->6599 6600 1000571e _free 20 API calls 6596->6600 6597->6595 6598->6596 6601 10009124 6599->6601 6602 1000571e _free 20 API calls 6599->6602 6600->6599 6603 10009136 6601->6603 6605 1000571e _free 20 API calls 6601->6605 6602->6601 6604 10009148 6603->6604 6606 1000571e _free 20 API calls 6603->6606 6607 1000915a 6604->6607 6608 1000571e _free 20 API calls 6604->6608 6605->6603 6606->6604 6609 1000571e _free 20 API calls 6607->6609 6612 1000916c 6607->6612 6608->6607 6609->6612 6610 10009190 6615 100091a2 6610->6615 6616 1000571e _free 20 API calls 6610->6616 6611 1000917e 6611->6610 6614 1000571e _free 20 API calls 6611->6614 6612->6611 6613 1000571e _free 20 API calls 6612->6613 6613->6611 6614->6610 6617 1000571e _free 20 API calls 6615->6617 6615->6618 6616->6615 6617->6618 6618->6569 6620 100091c5 6619->6620 6630 1000921d 6619->6630 6621 1000571e _free 20 API calls 6620->6621 6622 100091d5 6620->6622 6621->6622 6623 100091e7 6622->6623 6624 1000571e _free 20 API calls 6622->6624 6625 100091f9 6623->6625 6627 1000571e _free 20 API calls 6623->6627 6624->6623 6626 1000920b 6625->6626 6628 1000571e _free 20 API calls 6625->6628 6629 1000571e _free 20 API calls 6626->6629 6626->6630 6627->6625 6628->6626 6629->6630 6630->6571 6632 10007e60 6631->6632 6633 10007e42 6631->6633 6632->6581 6633->6632 6637 1000925d 6633->6637 6636 1000571e _free 20 API calls 6636->6632 6638 10007e5a 6637->6638 6639 1000926e 6637->6639 6638->6636 6673 10009221 6639->6673 6642 10009221 __fassign 20 API calls 6643 10009281 6642->6643 6644 10009221 __fassign 20 API calls 6643->6644 6645 1000928c 6644->6645 6646 10009221 __fassign 20 API calls 6645->6646 6647 10009297 6646->6647 6648 10009221 __fassign 20 API calls 6647->6648 6649 100092a5 6648->6649 6650 1000571e _free 20 API calls 6649->6650 6651 100092b0 6650->6651 6652 1000571e _free 20 API calls 6651->6652 6653 100092bb 6652->6653 6654 1000571e _free 20 API calls 6653->6654 6655 100092c6 6654->6655 6656 10009221 __fassign 20 API calls 6655->6656 6657 100092d4 6656->6657 6658 10009221 __fassign 20 API calls 6657->6658 6659 100092e2 6658->6659 6660 10009221 __fassign 20 API calls 6659->6660 6661 100092f3 6660->6661 6662 10009221 __fassign 20 API calls 6661->6662 6663 10009301 6662->6663 6664 10009221 __fassign 20 API calls 6663->6664 6665 1000930f 6664->6665 6666 1000571e _free 20 API calls 6665->6666 6667 1000931a 6666->6667 6668 1000571e _free 20 API calls 6667->6668 6669 10009325 6668->6669 6670 1000571e _free 20 API calls 6669->6670 6671 10009330 6670->6671 6672 1000571e _free 20 API calls 6671->6672 6672->6638 6674 10009258 6673->6674 6675 10009248 6673->6675 6674->6642 6675->6674 6676 1000571e _free 20 API calls 6675->6676 6676->6675 6677->6562 6679 10006d8a ___DestructExceptionObject 6678->6679 6680 10005af6 _abort 38 API calls 6679->6680 6682 10006d94 6680->6682 6683 10006e18 _abort 6682->6683 6684 100055a8 _abort 38 API calls 6682->6684 6686 1000571e _free 20 API calls 6682->6686 6687 10005671 RtlEnterCriticalSection 6682->6687 6688 10006e0f 6682->6688 6683->6541 6684->6682 6686->6682 6687->6682 6691 100056b9 RtlLeaveCriticalSection 6688->6691 6690 10006e16 6690->6682 6691->6690 7258 10007a80 7259 10007a8d 7258->7259 7260 1000637b _abort 20 API calls 7259->7260 7261 10007aa7 7260->7261 7262 1000571e _free 20 API calls 7261->7262 7263 10007ab3 7262->7263 7264 1000637b _abort 20 API calls 7263->7264 7267 10007ad9 7263->7267 7266 10007acd 7264->7266 7265 10005eb7 11 API calls 7265->7267 7268 1000571e _free 20 API calls 7266->7268 7267->7265 7269 10007ae5 7267->7269 7268->7267 6083 10007103 GetCommandLineA GetCommandLineW 6084 10005303 6087 100050a5 6084->6087 6096 1000502f 6087->6096 6090 1000502f 5 API calls 6091 100050c3 6090->6091 6100 10005000 6091->6100 6094 10005000 20 API calls 6095 100050d9 6094->6095 6097 10005048 6096->6097 6098 10002ada _ValidateLocalCookies 5 API calls 6097->6098 6099 10005069 6098->6099 6099->6090 6101 1000502a 6100->6101 6102 1000500d 6100->6102 6101->6094 6103 10005024 6102->6103 6104 1000571e _free 20 API calls 6102->6104 6105 1000571e _free 20 API calls 6103->6105 6104->6102 6105->6101 6692 1000af43 6693 1000af59 6692->6693 6694 1000af4d 6692->6694 6694->6693 6695 1000af52 CloseHandle 6694->6695 6695->6693 6696 1000a945 6697 1000a96d 6696->6697 6698 1000a9a5 6697->6698 6699 1000a997 6697->6699 6700 1000a99e 6697->6700 6705 1000aa17 6699->6705 6709 1000aa00 6700->6709 6706 1000aa20 6705->6706 6713 1000b19b 6706->6713 6710 1000aa20 6709->6710 6711 1000b19b __startOneArgErrorHandling 21 API calls 6710->6711 6712 1000a9a3 6711->6712 6714 1000b1da __startOneArgErrorHandling 6713->6714 6716 1000b25c __startOneArgErrorHandling 6714->6716 6723 1000b59e 6714->6723 6721 1000b286 6716->6721 6726 100078a3 6716->6726 6718 1000b292 6720 10002ada _ValidateLocalCookies 5 API calls 6718->6720 6722 1000a99c 6720->6722 6721->6718 6730 1000b8b2 6721->6730 6737 1000b5c1 6723->6737 6727 100078cb 6726->6727 6728 10002ada _ValidateLocalCookies 5 API calls 6727->6728 6729 100078e8 6728->6729 6729->6721 6731 1000b8d4 6730->6731 6732 1000b8bf 6730->6732 6734 10006368 _free 20 API calls 6731->6734 6733 1000b8d9 6732->6733 6735 10006368 _free 20 API calls 6732->6735 6733->6718 6734->6733 6736 1000b8cc 6735->6736 6736->6718 6738 1000b5ec __raise_exc 6737->6738 6739 1000b7e5 RaiseException 6738->6739 6740 1000b5bc 6739->6740 6740->6716 7521 1000a1c6 IsProcessorFeaturePresent 7522 10007bc7 7523 10007bd3 ___DestructExceptionObject 7522->7523 7524 10007c0a _abort 7523->7524 7530 10005671 RtlEnterCriticalSection 7523->7530 7526 10007be7 7527 10007f86 __fassign 20 API calls 7526->7527 7528 10007bf7 7527->7528 7531 10007c10 7528->7531 7530->7526 7534 100056b9 RtlLeaveCriticalSection 7531->7534 7533 10007c17 7533->7524 7534->7533 6741 10005348 6742 10003529 ___vcrt_uninitialize 8 API calls 6741->6742 6743 1000534f 6742->6743 6744 10007b48 6754 10008ebf 6744->6754 6748 10007b55 6767 1000907c 6748->6767 6751 10007b7f 6752 1000571e _free 20 API calls 6751->6752 6753 10007b8a 6752->6753 6771 10008ec8 6754->6771 6756 10007b50 6757 10008fdc 6756->6757 6758 10008fe8 ___DestructExceptionObject 6757->6758 6791 10005671 RtlEnterCriticalSection 6758->6791 6760 1000905e 6805 10009073 6760->6805 6762 10009032 RtlDeleteCriticalSection 6765 1000571e _free 20 API calls 6762->6765 6763 1000906a _abort 6763->6748 6766 10008ff3 6765->6766 6766->6760 6766->6762 6792 1000a09c 6766->6792 6768 10009092 6767->6768 6769 10007b64 RtlDeleteCriticalSection 6767->6769 6768->6769 6770 1000571e _free 20 API calls 6768->6770 6769->6748 6769->6751 6770->6769 6772 10008ed4 ___DestructExceptionObject 6771->6772 6781 10005671 RtlEnterCriticalSection 6772->6781 6774 10008f77 6786 10008f97 6774->6786 6777 10008f83 _abort 6777->6756 6779 10008e78 66 API calls 6780 10008ee3 6779->6780 6780->6774 6780->6779 6782 10007b94 RtlEnterCriticalSection 6780->6782 6783 10008f6d 6780->6783 6781->6780 6782->6780 6789 10007ba8 RtlLeaveCriticalSection 6783->6789 6785 10008f75 6785->6780 6790 100056b9 RtlLeaveCriticalSection 6786->6790 6788 10008f9e 6788->6777 6789->6785 6790->6788 6791->6766 6793 1000a0a8 ___DestructExceptionObject 6792->6793 6794 1000a0b9 6793->6794 6795 1000a0ce 6793->6795 6796 10006368 _free 20 API calls 6794->6796 6804 1000a0c9 _abort 6795->6804 6808 10007b94 RtlEnterCriticalSection 6795->6808 6798 1000a0be 6796->6798 6800 100062ac _abort 26 API calls 6798->6800 6799 1000a0ea 6809 1000a026 6799->6809 6800->6804 6802 1000a0f5 6825 1000a112 6802->6825 6804->6766 7073 100056b9 RtlLeaveCriticalSection 6805->7073 6807 1000907a 6807->6763 6808->6799 6810 1000a033 6809->6810 6811 1000a048 6809->6811 6812 10006368 _free 20 API calls 6810->6812 6817 1000a043 6811->6817 6828 10008e12 6811->6828 6813 1000a038 6812->6813 6815 100062ac _abort 26 API calls 6813->6815 6815->6817 6817->6802 6818 1000907c 20 API calls 6819 1000a064 6818->6819 6834 10007a5a 6819->6834 6821 1000a06a 6841 1000adce 6821->6841 6824 1000571e _free 20 API calls 6824->6817 7072 10007ba8 RtlLeaveCriticalSection 6825->7072 6827 1000a11a 6827->6804 6829 10008e2a 6828->6829 6830 10008e26 6828->6830 6829->6830 6831 10007a5a 26 API calls 6829->6831 6830->6818 6832 10008e4a 6831->6832 6856 10009a22 6832->6856 6835 10007a66 6834->6835 6836 10007a7b 6834->6836 6837 10006368 _free 20 API calls 6835->6837 6836->6821 6838 10007a6b 6837->6838 6839 100062ac _abort 26 API calls 6838->6839 6840 10007a76 6839->6840 6840->6821 6842 1000adf2 6841->6842 6843 1000addd 6841->6843 6844 1000ae2d 6842->6844 6849 1000ae19 6842->6849 6845 10006355 __dosmaperr 20 API calls 6843->6845 6846 10006355 __dosmaperr 20 API calls 6844->6846 6847 1000ade2 6845->6847 6850 1000ae32 6846->6850 6848 10006368 _free 20 API calls 6847->6848 6853 1000a070 6848->6853 7029 1000ada6 6849->7029 6852 10006368 _free 20 API calls 6850->6852 6854 1000ae3a 6852->6854 6853->6817 6853->6824 6855 100062ac _abort 26 API calls 6854->6855 6855->6853 6857 10009a2e ___DestructExceptionObject 6856->6857 6858 10009a36 6857->6858 6859 10009a4e 6857->6859 6881 10006355 6858->6881 6861 10009aec 6859->6861 6865 10009a83 6859->6865 6863 10006355 __dosmaperr 20 API calls 6861->6863 6866 10009af1 6863->6866 6864 10006368 _free 20 API calls 6867 10009a43 _abort 6864->6867 6884 10008c7b RtlEnterCriticalSection 6865->6884 6869 10006368 _free 20 API calls 6866->6869 6867->6830 6871 10009af9 6869->6871 6870 10009a89 6872 10009aa5 6870->6872 6873 10009aba 6870->6873 6874 100062ac _abort 26 API calls 6871->6874 6875 10006368 _free 20 API calls 6872->6875 6885 10009b0d 6873->6885 6874->6867 6877 10009aaa 6875->6877 6879 10006355 __dosmaperr 20 API calls 6877->6879 6878 10009ab5 6936 10009ae4 6878->6936 6879->6878 6882 10005b7a _abort 20 API calls 6881->6882 6883 1000635a 6882->6883 6883->6864 6884->6870 6886 10009b34 6885->6886 6887 10009b3b 6885->6887 6890 10002ada _ValidateLocalCookies 5 API calls 6886->6890 6888 10009b5e 6887->6888 6889 10009b3f 6887->6889 6892 10009baf 6888->6892 6893 10009b92 6888->6893 6891 10006355 __dosmaperr 20 API calls 6889->6891 6894 10009d15 6890->6894 6895 10009b44 6891->6895 6897 10009bc5 6892->6897 6939 1000a00b 6892->6939 6896 10006355 __dosmaperr 20 API calls 6893->6896 6894->6878 6898 10006368 _free 20 API calls 6895->6898 6902 10009b97 6896->6902 6942 100096b2 6897->6942 6900 10009b4b 6898->6900 6903 100062ac _abort 26 API calls 6900->6903 6905 10006368 _free 20 API calls 6902->6905 6903->6886 6908 10009b9f 6905->6908 6906 10009bd3 6909 10009bf9 6906->6909 6916 10009bd7 6906->6916 6907 10009c0c 6911 10009c20 6907->6911 6912 10009c66 WriteFile 6907->6912 6910 100062ac _abort 26 API calls 6908->6910 6954 10009492 GetConsoleCP 6909->6954 6910->6886 6913 10009c56 6911->6913 6914 10009c28 6911->6914 6918 10009c89 GetLastError 6912->6918 6923 10009bef 6912->6923 6980 10009728 6913->6980 6919 10009c46 6914->6919 6920 10009c2d 6914->6920 6915 10009ccd 6915->6886 6925 10006368 _free 20 API calls 6915->6925 6916->6915 6949 10009645 6916->6949 6918->6923 6972 100098f5 6919->6972 6920->6915 6965 10009807 6920->6965 6923->6886 6923->6915 6926 10009ca9 6923->6926 6928 10009cf2 6925->6928 6930 10009cb0 6926->6930 6931 10009cc4 6926->6931 6929 10006355 __dosmaperr 20 API calls 6928->6929 6929->6886 6932 10006368 _free 20 API calls 6930->6932 6987 10006332 6931->6987 6934 10009cb5 6932->6934 6935 10006355 __dosmaperr 20 API calls 6934->6935 6935->6886 7028 10008c9e RtlLeaveCriticalSection 6936->7028 6938 10009aea 6938->6867 6992 10009f8d 6939->6992 7014 10008dbc 6942->7014 6944 100096c2 6945 100096c7 6944->6945 6946 10005af6 _abort 38 API calls 6944->6946 6945->6906 6945->6907 6947 100096ea 6946->6947 6947->6945 6948 10009708 GetConsoleMode 6947->6948 6948->6945 6952 1000966a 6949->6952 6953 1000969f 6949->6953 6950 1000a181 WriteConsoleW CreateFileW 6950->6952 6951 100096a1 GetLastError 6951->6953 6952->6950 6952->6951 6952->6953 6953->6923 6958 100094f5 6954->6958 6964 10009607 6954->6964 6955 10002ada _ValidateLocalCookies 5 API calls 6956 10009641 6955->6956 6956->6923 6959 1000957b WideCharToMultiByte 6958->6959 6961 100079e6 40 API calls __fassign 6958->6961 6963 100095d2 WriteFile 6958->6963 6958->6964 7023 10007c19 6958->7023 6960 100095a1 WriteFile 6959->6960 6959->6964 6960->6958 6962 1000962a GetLastError 6960->6962 6961->6958 6962->6964 6963->6958 6963->6962 6964->6955 6967 10009816 6965->6967 6966 100098d8 6969 10002ada _ValidateLocalCookies 5 API calls 6966->6969 6967->6966 6968 10009894 WriteFile 6967->6968 6968->6967 6970 100098da GetLastError 6968->6970 6971 100098f1 6969->6971 6970->6966 6971->6923 6979 10009904 6972->6979 6973 10009a0f 6974 10002ada _ValidateLocalCookies 5 API calls 6973->6974 6976 10009a1e 6974->6976 6975 10009986 WideCharToMultiByte 6977 10009a07 GetLastError 6975->6977 6978 100099bb WriteFile 6975->6978 6976->6923 6977->6973 6978->6977 6978->6979 6979->6973 6979->6975 6979->6978 6985 10009737 6980->6985 6981 100097ea 6982 10002ada _ValidateLocalCookies 5 API calls 6981->6982 6984 10009803 6982->6984 6983 100097a9 WriteFile 6983->6985 6986 100097ec GetLastError 6983->6986 6984->6923 6985->6981 6985->6983 6986->6981 6988 10006355 __dosmaperr 20 API calls 6987->6988 6989 1000633d _free 6988->6989 6990 10006368 _free 20 API calls 6989->6990 6991 10006350 6990->6991 6991->6886 7001 10008d52 6992->7001 6994 10009f9f 6995 10009fa7 6994->6995 6996 10009fb8 SetFilePointerEx 6994->6996 6999 10006368 _free 20 API calls 6995->6999 6997 10009fd0 GetLastError 6996->6997 6998 10009fac 6996->6998 7000 10006332 __dosmaperr 20 API calls 6997->7000 6998->6897 6999->6998 7000->6998 7002 10008d74 7001->7002 7003 10008d5f 7001->7003 7006 10006355 __dosmaperr 20 API calls 7002->7006 7008 10008d99 7002->7008 7004 10006355 __dosmaperr 20 API calls 7003->7004 7005 10008d64 7004->7005 7007 10006368 _free 20 API calls 7005->7007 7009 10008da4 7006->7009 7010 10008d6c 7007->7010 7008->6994 7011 10006368 _free 20 API calls 7009->7011 7010->6994 7012 10008dac 7011->7012 7013 100062ac _abort 26 API calls 7012->7013 7013->7010 7015 10008dd6 7014->7015 7016 10008dc9 7014->7016 7018 10008de2 7015->7018 7019 10006368 _free 20 API calls 7015->7019 7017 10006368 _free 20 API calls 7016->7017 7020 10008dce 7017->7020 7018->6944 7021 10008e03 7019->7021 7020->6944 7022 100062ac _abort 26 API calls 7021->7022 7022->7020 7024 10005af6 _abort 38 API calls 7023->7024 7025 10007c24 7024->7025 7026 10007a00 __fassign 38 API calls 7025->7026 7027 10007c34 7026->7027 7027->6958 7028->6938 7032 1000ad24 7029->7032 7031 1000adca 7031->6853 7033 1000ad30 ___DestructExceptionObject 7032->7033 7043 10008c7b RtlEnterCriticalSection 7033->7043 7035 1000ad3e 7036 1000ad70 7035->7036 7037 1000ad65 7035->7037 7039 10006368 _free 20 API calls 7036->7039 7044 1000ae4d 7037->7044 7040 1000ad6b 7039->7040 7059 1000ad9a 7040->7059 7042 1000ad8d _abort 7042->7031 7043->7035 7045 10008d52 26 API calls 7044->7045 7047 1000ae5d 7045->7047 7046 1000ae63 7062 10008cc1 7046->7062 7047->7046 7049 1000ae95 7047->7049 7052 10008d52 26 API calls 7047->7052 7049->7046 7050 10008d52 26 API calls 7049->7050 7053 1000aea1 CloseHandle 7050->7053 7055 1000ae8c 7052->7055 7053->7046 7057 1000aead GetLastError 7053->7057 7054 1000aedd 7054->7040 7056 10008d52 26 API calls 7055->7056 7056->7049 7057->7046 7058 10006332 __dosmaperr 20 API calls 7058->7054 7071 10008c9e RtlLeaveCriticalSection 7059->7071 7061 1000ada4 7061->7042 7063 10008cd0 7062->7063 7064 10008d37 7062->7064 7063->7064 7069 10008cfa 7063->7069 7065 10006368 _free 20 API calls 7064->7065 7066 10008d3c 7065->7066 7067 10006355 __dosmaperr 20 API calls 7066->7067 7068 10008d27 7067->7068 7068->7054 7068->7058 7069->7068 7070 10008d21 SetStdHandle 7069->7070 7070->7068 7071->7061 7072->6827 7073->6807 7074 10002049 7075 10002055 ___DestructExceptionObject 7074->7075 7076 100020d3 7075->7076 7077 1000207d 7075->7077 7087 1000205e 7075->7087 7078 10002639 ___scrt_fastfail 4 API calls 7076->7078 7088 1000244c 7077->7088 7080 100020da 7078->7080 7081 10002082 7097 10002308 7081->7097 7083 10002087 __RTC_Initialize 7100 100020c4 7083->7100 7085 1000209f 7103 1000260b 7085->7103 7089 10002451 ___scrt_release_startup_lock 7088->7089 7090 10002461 7089->7090 7091 10002455 7089->7091 7094 1000246e 7090->7094 7095 1000499b _abort 28 API calls 7090->7095 7092 1000527a _abort 20 API calls 7091->7092 7093 1000245f 7092->7093 7093->7081 7094->7081 7096 10004bbd 7095->7096 7096->7081 7109 100034c7 RtlInterlockedFlushSList 7097->7109 7099 10002312 7099->7083 7111 1000246f 7100->7111 7102 100020c9 ___scrt_release_startup_lock 7102->7085 7104 10002617 7103->7104 7105 1000262d 7104->7105 7130 100053ed 7104->7130 7105->7087 7108 10003529 ___vcrt_uninitialize 8 API calls 7108->7105 7110 100034d7 7109->7110 7110->7099 7116 100053ff 7111->7116 7114 1000391b ___vcrt_uninitialize_ptd 6 API calls 7115 1000354d 7114->7115 7115->7102 7119 10005c2b 7116->7119 7120 10005c35 7119->7120 7122 10002476 7119->7122 7123 10005db2 7120->7123 7122->7114 7124 10005c45 _abort 5 API calls 7123->7124 7125 10005dd9 7124->7125 7126 10005df1 TlsFree 7125->7126 7127 10005de5 7125->7127 7126->7127 7128 10002ada _ValidateLocalCookies 5 API calls 7127->7128 7129 10005e02 7128->7129 7129->7122 7133 100074da 7130->7133 7136 100074f3 7133->7136 7134 10002ada _ValidateLocalCookies 5 API calls 7135 10002625 7134->7135 7135->7108 7136->7134 7270 10008a89 7273 10006d60 7270->7273 7274 10006d69 7273->7274 7275 10006d72 7273->7275 7277 10006c5f 7274->7277 7278 10005af6 _abort 38 API calls 7277->7278 7279 10006c6c 7278->7279 7280 10006d7e __fassign 38 API calls 7279->7280 7281 10006c74 7280->7281 7297 100069f3 7281->7297 7284 10006c8b 7284->7275 7287 10006cce 7290 1000571e _free 20 API calls 7287->7290 7290->7284 7291 10006cc9 7292 10006368 _free 20 API calls 7291->7292 7292->7287 7293 10006d12 7293->7287 7321 100068c9 7293->7321 7294 10006ce6 7294->7293 7295 1000571e _free 20 API calls 7294->7295 7295->7293 7298 100054a7 __fassign 38 API calls 7297->7298 7299 10006a05 7298->7299 7300 10006a14 GetOEMCP 7299->7300 7301 10006a26 7299->7301 7303 10006a3d 7300->7303 7302 10006a2b GetACP 7301->7302 7301->7303 7302->7303 7303->7284 7304 100056d0 7303->7304 7305 1000570e 7304->7305 7309 100056de _abort 7304->7309 7306 10006368 _free 20 API calls 7305->7306 7308 1000570c 7306->7308 7307 100056f9 RtlAllocateHeap 7307->7308 7307->7309 7308->7287 7311 10006e20 7308->7311 7309->7305 7309->7307 7310 1000474f _abort 7 API calls 7309->7310 7310->7309 7312 100069f3 40 API calls 7311->7312 7313 10006e3f 7312->7313 7316 10006e90 IsValidCodePage 7313->7316 7318 10006e46 7313->7318 7320 10006eb5 ___scrt_fastfail 7313->7320 7314 10002ada _ValidateLocalCookies 5 API calls 7315 10006cc1 7314->7315 7315->7291 7315->7294 7317 10006ea2 GetCPInfo 7316->7317 7316->7318 7317->7318 7317->7320 7318->7314 7324 10006acb GetCPInfo 7320->7324 7397 10006886 7321->7397 7323 100068ed 7323->7287 7325 10006baf 7324->7325 7331 10006b05 7324->7331 7328 10002ada _ValidateLocalCookies 5 API calls 7325->7328 7330 10006c5b 7328->7330 7330->7318 7334 100086e4 7331->7334 7333 10008a3e 43 API calls 7333->7325 7335 100054a7 __fassign 38 API calls 7334->7335 7336 10008704 MultiByteToWideChar 7335->7336 7338 10008742 7336->7338 7339 100087da 7336->7339 7341 100056d0 21 API calls 7338->7341 7344 10008763 ___scrt_fastfail 7338->7344 7340 10002ada _ValidateLocalCookies 5 API calls 7339->7340 7342 10006b66 7340->7342 7341->7344 7348 10008a3e 7342->7348 7343 100087d4 7353 10008801 7343->7353 7344->7343 7346 100087a8 MultiByteToWideChar 7344->7346 7346->7343 7347 100087c4 GetStringTypeW 7346->7347 7347->7343 7349 100054a7 __fassign 38 API calls 7348->7349 7350 10008a51 7349->7350 7357 10008821 7350->7357 7354 1000880d 7353->7354 7355 1000881e 7353->7355 7354->7355 7356 1000571e _free 20 API calls 7354->7356 7355->7339 7356->7355 7359 1000883c 7357->7359 7358 10008862 MultiByteToWideChar 7360 1000888c 7358->7360 7371 10008a16 7358->7371 7359->7358 7365 100056d0 21 API calls 7360->7365 7367 100088ad 7360->7367 7361 10002ada _ValidateLocalCookies 5 API calls 7362 10006b87 7361->7362 7362->7333 7363 100088f6 MultiByteToWideChar 7364 10008962 7363->7364 7366 1000890f 7363->7366 7369 10008801 __freea 20 API calls 7364->7369 7365->7367 7384 10005f19 7366->7384 7367->7363 7367->7364 7369->7371 7371->7361 7372 10008971 7374 100056d0 21 API calls 7372->7374 7377 10008992 7372->7377 7373 10008939 7373->7364 7375 10005f19 11 API calls 7373->7375 7374->7377 7375->7364 7376 10008a07 7379 10008801 __freea 20 API calls 7376->7379 7377->7376 7378 10005f19 11 API calls 7377->7378 7380 100089e6 7378->7380 7379->7364 7380->7376 7381 100089f5 WideCharToMultiByte 7380->7381 7381->7376 7382 10008a35 7381->7382 7383 10008801 __freea 20 API calls 7382->7383 7383->7364 7385 10005c45 _abort 5 API calls 7384->7385 7386 10005f40 7385->7386 7389 10005f49 7386->7389 7392 10005fa1 7386->7392 7390 10002ada _ValidateLocalCookies 5 API calls 7389->7390 7391 10005f9b 7390->7391 7391->7364 7391->7372 7391->7373 7393 10005c45 _abort 5 API calls 7392->7393 7394 10005fc8 7393->7394 7395 10002ada _ValidateLocalCookies 5 API calls 7394->7395 7396 10005f89 LCMapStringW 7395->7396 7396->7389 7398 10006892 ___DestructExceptionObject 7397->7398 7405 10005671 RtlEnterCriticalSection 7398->7405 7400 1000689c 7406 100068f1 7400->7406 7404 100068b5 _abort 7404->7323 7405->7400 7418 10007011 7406->7418 7408 1000693f 7409 10007011 26 API calls 7408->7409 7410 1000695b 7409->7410 7411 10007011 26 API calls 7410->7411 7412 10006979 7411->7412 7413 100068a9 7412->7413 7414 1000571e _free 20 API calls 7412->7414 7415 100068bd 7413->7415 7414->7413 7432 100056b9 RtlLeaveCriticalSection 7415->7432 7417 100068c7 7417->7404 7419 10007022 7418->7419 7428 1000701e 7418->7428 7420 10007029 7419->7420 7424 1000703c ___scrt_fastfail 7419->7424 7421 10006368 _free 20 API calls 7420->7421 7422 1000702e 7421->7422 7423 100062ac _abort 26 API calls 7422->7423 7423->7428 7425 10007073 7424->7425 7426 1000706a 7424->7426 7424->7428 7425->7428 7430 10006368 _free 20 API calls 7425->7430 7427 10006368 _free 20 API calls 7426->7427 7429 1000706f 7427->7429 7428->7408 7431 100062ac _abort 26 API calls 7429->7431 7430->7429 7431->7428 7432->7417 6106 1000220c 6107 10002215 6106->6107 6108 1000221a dllmain_dispatch 6106->6108 6110 100022b1 6107->6110 6111 100022c7 6110->6111 6113 100022d0 6111->6113 6114 10002264 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 6111->6114 6113->6108 6114->6113 7137 1000724e GetProcessHeap 7138 1000284f 7139 10002882 std::exception::exception 27 API calls 7138->7139 7140 1000285d 7139->7140 7437 10003c90 RtlUnwind 7535 100036d0 7536 100036e2 7535->7536 7538 100036f0 @_EH4_CallFilterFunc@8 7535->7538 7537 10002ada _ValidateLocalCookies 5 API calls 7536->7537 7537->7538 7141 10005351 7142 10005360 7141->7142 7143 10005374 7141->7143 7142->7143 7146 1000571e _free 20 API calls 7142->7146 7144 1000571e _free 20 API calls 7143->7144 7145 10005386 7144->7145 7147 1000571e _free 20 API calls 7145->7147 7146->7143 7148 10005399 7147->7148 7149 1000571e _free 20 API calls 7148->7149 7150 100053aa 7149->7150 7151 1000571e _free 20 API calls 7150->7151 7152 100053bb 7151->7152 7539 100073d5 7540 100073e1 ___DestructExceptionObject 7539->7540 7551 10005671 RtlEnterCriticalSection 7540->7551 7542 100073e8 7543 10008be3 27 API calls 7542->7543 7544 100073f7 7543->7544 7550 10007406 7544->7550 7552 10007269 GetStartupInfoW 7544->7552 7549 10007417 _abort 7563 10007422 7550->7563 7551->7542 7553 10007286 7552->7553 7554 10007318 7552->7554 7553->7554 7555 10008be3 27 API calls 7553->7555 7558 1000731f 7554->7558 7556 100072af 7555->7556 7556->7554 7557 100072dd GetFileType 7556->7557 7557->7556 7560 10007326 7558->7560 7559 10007369 GetStdHandle 7559->7560 7560->7559 7561 100073d1 7560->7561 7562 1000737c GetFileType 7560->7562 7561->7550 7562->7560 7566 100056b9 RtlLeaveCriticalSection 7563->7566 7565 10007429 7565->7549 7566->7565 7567 10004ed7 7568 10006d60 51 API calls 7567->7568 7569 10004ee9 7568->7569 7578 10007153 GetEnvironmentStringsW 7569->7578 7572 10004ef4 7574 1000571e _free 20 API calls 7572->7574 7575 10004f29 7574->7575 7576 10004eff 7577 1000571e _free 20 API calls 7576->7577 7577->7572 7579 1000716a 7578->7579 7589 100071bd 7578->7589 7580 10007170 WideCharToMultiByte 7579->7580 7583 1000718c 7580->7583 7580->7589 7581 100071c6 FreeEnvironmentStringsW 7582 10004eee 7581->7582 7582->7572 7590 10004f2f 7582->7590 7584 100056d0 21 API calls 7583->7584 7585 10007192 7584->7585 7586 100071af 7585->7586 7587 10007199 WideCharToMultiByte 7585->7587 7588 1000571e _free 20 API calls 7586->7588 7587->7586 7588->7589 7589->7581 7589->7582 7591 10004f44 7590->7591 7592 1000637b _abort 20 API calls 7591->7592 7596 10004f6b 7592->7596 7593 1000571e _free 20 API calls 7595 10004fe9 7593->7595 7594 10004fcf 7594->7593 7595->7576 7596->7594 7597 1000637b _abort 20 API calls 7596->7597 7598 10004fd1 7596->7598 7599 1000544d ___std_exception_copy 26 API calls 7596->7599 7602 10004ff3 7596->7602 7605 1000571e _free 20 API calls 7596->7605 7597->7596 7600 10005000 20 API calls 7598->7600 7599->7596 7601 10004fd7 7600->7601 7603 1000571e _free 20 API calls 7601->7603 7604 100062bc _abort 11 API calls 7602->7604 7603->7594 7606 10004fff 7604->7606 7605->7596 6115 10002418 6116 10002420 ___scrt_release_startup_lock 6115->6116 6119 100047f5 6116->6119 6118 10002448 6120 10004804 6119->6120 6121 10004808 6119->6121 6120->6118 6124 10004815 6121->6124 6125 10005b7a _abort 20 API calls 6124->6125 6128 1000482c 6125->6128 6126 10002ada _ValidateLocalCookies 5 API calls 6127 10004811 6126->6127 6127->6118 6128->6126 7438 10004a9a 7441 10005411 7438->7441 7442 1000541d _abort 7441->7442 7443 10005af6 _abort 38 API calls 7442->7443 7446 10005422 7443->7446 7444 100055a8 _abort 38 API calls 7445 1000544c 7444->7445 7446->7444 5857 10001c5b 5858 10001c6b ___scrt_fastfail 5857->5858 5861 100012ee 5858->5861 5860 10001c87 5862 10001324 ___scrt_fastfail 5861->5862 5863 100013b7 GetEnvironmentVariableW 5862->5863 5887 100010f1 5863->5887 5866 100010f1 57 API calls 5867 10001465 5866->5867 5868 100010f1 57 API calls 5867->5868 5869 10001479 5868->5869 5870 100010f1 57 API calls 5869->5870 5871 1000148d 5870->5871 5872 100010f1 57 API calls 5871->5872 5873 100014a1 5872->5873 5874 100010f1 57 API calls 5873->5874 5875 100014b5 lstrlenW 5874->5875 5876 100014d2 5875->5876 5877 100014d9 lstrlenW 5875->5877 5876->5860 5878 100010f1 57 API calls 5877->5878 5879 10001501 lstrlenW lstrcatW 5878->5879 5880 100010f1 57 API calls 5879->5880 5881 10001539 lstrlenW lstrcatW 5880->5881 5882 100010f1 57 API calls 5881->5882 5883 1000156b lstrlenW lstrcatW 5882->5883 5884 100010f1 57 API calls 5883->5884 5885 1000159d lstrlenW lstrcatW 5884->5885 5886 100010f1 57 API calls 5885->5886 5886->5876 5888 10001118 ___scrt_fastfail 5887->5888 5889 10001129 lstrlenW 5888->5889 5900 10002c40 5889->5900 5891 10001148 lstrcatW lstrlenW 5892 10001177 lstrlenW FindFirstFileW 5891->5892 5893 10001168 lstrlenW 5891->5893 5894 100011a0 5892->5894 5895 100011e1 5892->5895 5893->5892 5896 100011c7 FindNextFileW 5894->5896 5899 100011aa 5894->5899 5895->5866 5896->5894 5897 100011da FindClose 5896->5897 5897->5895 5899->5896 5902 10001000 5899->5902 5901 10002c57 5900->5901 5901->5891 5901->5901 5903 10001022 ___scrt_fastfail 5902->5903 5904 100010af 5903->5904 5905 1000102f lstrcatW lstrlenW 5903->5905 5906 100010b5 lstrlenW 5904->5906 5907 100010ad 5904->5907 5908 1000105a lstrlenW 5905->5908 5909 1000106b lstrlenW 5905->5909 5933 10001e16 5906->5933 5907->5899 5908->5909 5919 10001e89 lstrlenW 5909->5919 5912 10001088 GetFileAttributesW 5912->5907 5914 1000109c 5912->5914 5913 100010ca 5913->5907 5915 10001e89 5 API calls 5913->5915 5914->5907 5925 1000173a 5914->5925 5917 100010df 5915->5917 5938 100011ea 5917->5938 5920 10002c40 ___scrt_fastfail 5919->5920 5921 10001ea7 lstrcatW lstrlenW 5920->5921 5922 10001ed1 lstrcatW 5921->5922 5923 10001ec2 5921->5923 5922->5912 5923->5922 5924 10001ec7 lstrlenW 5923->5924 5924->5922 5926 10001747 ___scrt_fastfail 5925->5926 5953 10001cca 5926->5953 5930 1000199f 5930->5907 5931 10001824 ___scrt_fastfail _strlen 5931->5930 5973 100015da 5931->5973 5934 10001e29 5933->5934 5937 10001e4c 5933->5937 5935 10001e2d lstrlenW 5934->5935 5934->5937 5936 10001e3f lstrlenW 5935->5936 5935->5937 5936->5937 5937->5913 5939 1000120e ___scrt_fastfail 5938->5939 5940 10001e89 5 API calls 5939->5940 5941 10001220 GetFileAttributesW 5940->5941 5942 10001235 5941->5942 5943 10001246 5941->5943 5942->5943 5945 1000173a 35 API calls 5942->5945 5944 10001e89 5 API calls 5943->5944 5946 10001258 5944->5946 5945->5943 5947 100010f1 56 API calls 5946->5947 5948 1000126d 5947->5948 5949 10001e89 5 API calls 5948->5949 5950 1000127f ___scrt_fastfail 5949->5950 5951 100010f1 56 API calls 5950->5951 5952 100012e6 5951->5952 5952->5907 5954 10001cf1 ___scrt_fastfail 5953->5954 5955 10001d0f CopyFileW CreateFileW 5954->5955 5956 10001d44 DeleteFileW 5955->5956 5957 10001d55 GetFileSize 5955->5957 5962 10001808 5956->5962 5958 10001ede 22 API calls 5957->5958 5959 10001d66 ReadFile 5958->5959 5960 10001d94 CloseHandle DeleteFileW 5959->5960 5961 10001d7d CloseHandle DeleteFileW 5959->5961 5960->5962 5961->5962 5962->5930 5963 10001ede 5962->5963 5965 1000222f 5963->5965 5966 1000224e 5965->5966 5969 10002250 5965->5969 5981 1000474f 5965->5981 5986 100047e5 5965->5986 5966->5931 5968 10002908 5970 100035d2 __CxxThrowException@8 RaiseException 5968->5970 5969->5968 5993 100035d2 5969->5993 5971 10002925 5970->5971 5971->5931 5974 1000160c _strcat _strlen 5973->5974 5975 1000163c lstrlenW 5974->5975 6081 10001c9d 5975->6081 5977 10001655 lstrcatW lstrlenW 5978 10001678 5977->5978 5979 10001693 ___scrt_fastfail 5978->5979 5980 1000167e lstrcatW 5978->5980 5979->5931 5980->5979 5996 10004793 5981->5996 5984 1000478f 5984->5965 5985 10004765 6002 10002ada 5985->6002 5991 100056d0 _abort 5986->5991 5987 1000570e 6015 10006368 5987->6015 5989 100056f9 RtlAllocateHeap 5990 1000570c 5989->5990 5989->5991 5990->5965 5991->5987 5991->5989 5992 1000474f _abort 7 API calls 5991->5992 5992->5991 5995 100035f2 RaiseException 5993->5995 5995->5968 5997 1000479f ___DestructExceptionObject 5996->5997 6009 10005671 RtlEnterCriticalSection 5997->6009 5999 100047aa 6010 100047dc 5999->6010 6001 100047d1 _abort 6001->5985 6003 10002ae3 6002->6003 6004 10002ae5 IsProcessorFeaturePresent 6002->6004 6003->5984 6006 10002b58 6004->6006 6014 10002b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 6006->6014 6008 10002c3b 6008->5984 6009->5999 6013 100056b9 RtlLeaveCriticalSection 6010->6013 6012 100047e3 6012->6001 6013->6012 6014->6008 6018 10005b7a GetLastError 6015->6018 6019 10005b93 6018->6019 6020 10005b99 6018->6020 6037 10005e08 6019->6037 6025 10005bf0 SetLastError 6020->6025 6044 1000637b 6020->6044 6024 10005bb3 6051 1000571e 6024->6051 6026 10005bf9 6025->6026 6026->5990 6030 10005bb9 6032 10005be7 SetLastError 6030->6032 6031 10005bcf 6064 1000593c 6031->6064 6032->6026 6035 1000571e _free 17 API calls 6036 10005be0 6035->6036 6036->6025 6036->6032 6069 10005c45 6037->6069 6039 10005e2f 6040 10005e47 TlsGetValue 6039->6040 6041 10005e3b 6039->6041 6040->6041 6042 10002ada _ValidateLocalCookies 5 API calls 6041->6042 6043 10005e58 6042->6043 6043->6020 6049 10006388 _abort 6044->6049 6045 100063c8 6048 10006368 _free 19 API calls 6045->6048 6046 100063b3 RtlAllocateHeap 6047 10005bab 6046->6047 6046->6049 6047->6024 6057 10005e5e 6047->6057 6048->6047 6049->6045 6049->6046 6050 1000474f _abort 7 API calls 6049->6050 6050->6049 6052 10005729 HeapFree 6051->6052 6056 10005752 _free 6051->6056 6053 1000573e 6052->6053 6052->6056 6054 10006368 _free 18 API calls 6053->6054 6055 10005744 GetLastError 6054->6055 6055->6056 6056->6030 6058 10005c45 _abort 5 API calls 6057->6058 6059 10005e85 6058->6059 6060 10005ea0 TlsSetValue 6059->6060 6061 10005e94 6059->6061 6060->6061 6062 10002ada _ValidateLocalCookies 5 API calls 6061->6062 6063 10005bc8 6062->6063 6063->6024 6063->6031 6075 10005914 6064->6075 6070 10005c71 6069->6070 6071 10005c75 __crt_fast_encode_pointer 6069->6071 6070->6071 6072 10005ce1 _abort LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 6070->6072 6074 10005c95 6070->6074 6071->6039 6072->6070 6073 10005ca1 GetProcAddress 6073->6071 6074->6071 6074->6073 6076 10005854 _abort RtlEnterCriticalSection RtlLeaveCriticalSection 6075->6076 6077 10005938 6076->6077 6078 100058c4 6077->6078 6079 10005758 _abort 20 API calls 6078->6079 6080 100058e8 6079->6080 6080->6035 6082 10001ca6 _strlen 6081->6082 6082->5977 7607 100020db 7610 100020e7 ___DestructExceptionObject 7607->7610 7608 100020f6 7609 10002110 dllmain_raw 7609->7608 7611 1000212a 7609->7611 7610->7608 7610->7609 7615 1000210b 7610->7615 7620 10001eec 7611->7620 7613 10002177 7613->7608 7614 10001eec 31 API calls 7613->7614 7616 1000218a 7614->7616 7615->7608 7615->7613 7618 10001eec 31 API calls 7615->7618 7616->7608 7617 10002193 dllmain_raw 7616->7617 7617->7608 7619 1000216d dllmain_raw 7618->7619 7619->7613 7621 10001ef7 7620->7621 7622 10001f2a dllmain_crt_process_detach 7620->7622 7624 10001f1c dllmain_crt_process_attach 7621->7624 7625 10001efc 7621->7625 7623 10001f06 7622->7623 7623->7615 7624->7623 7626 10001f01 7625->7626 7627 10001f12 7625->7627 7626->7623 7630 1000240b 7626->7630 7635 100023ec 7627->7635 7643 100053e5 7630->7643 7736 10003513 7635->7736 7638 100023f5 7638->7623 7641 10002408 7641->7623 7642 1000351e 7 API calls 7642->7638 7649 10005aca 7643->7649 7646 1000351e 7725 10003820 7646->7725 7648 10002415 7648->7623 7650 10005ad4 7649->7650 7651 10002410 7649->7651 7652 10005e08 _abort 11 API calls 7650->7652 7651->7646 7653 10005adb 7652->7653 7653->7651 7654 10005e5e _abort 11 API calls 7653->7654 7655 10005aee 7654->7655 7657 100059b5 7655->7657 7658 100059c0 7657->7658 7662 100059d0 7657->7662 7663 100059d6 7658->7663 7661 1000571e _free 20 API calls 7661->7662 7662->7651 7664 100059e9 7663->7664 7667 100059ef 7663->7667 7665 1000571e _free 20 API calls 7664->7665 7665->7667 7666 1000571e _free 20 API calls 7668 100059fb 7666->7668 7667->7666 7669 1000571e _free 20 API calls 7668->7669 7670 10005a06 7669->7670 7671 1000571e _free 20 API calls 7670->7671 7672 10005a11 7671->7672 7673 1000571e _free 20 API calls 7672->7673 7674 10005a1c 7673->7674 7675 1000571e _free 20 API calls 7674->7675 7676 10005a27 7675->7676 7677 1000571e _free 20 API calls 7676->7677 7678 10005a32 7677->7678 7679 1000571e _free 20 API calls 7678->7679 7680 10005a3d 7679->7680 7681 1000571e _free 20 API calls 7680->7681 7682 10005a48 7681->7682 7683 1000571e _free 20 API calls 7682->7683 7684 10005a56 7683->7684 7689 1000589c 7684->7689 7695 100057a8 7689->7695 7691 100058c0 7692 100058ec 7691->7692 7708 10005809 7692->7708 7694 10005910 7694->7661 7696 100057b4 ___DestructExceptionObject 7695->7696 7703 10005671 RtlEnterCriticalSection 7696->7703 7699 100057be 7700 1000571e _free 20 API calls 7699->7700 7702 100057e8 7699->7702 7700->7702 7701 100057f5 _abort 7701->7691 7704 100057fd 7702->7704 7703->7699 7707 100056b9 RtlLeaveCriticalSection 7704->7707 7706 10005807 7706->7701 7707->7706 7709 10005815 ___DestructExceptionObject 7708->7709 7716 10005671 RtlEnterCriticalSection 7709->7716 7711 1000581f 7717 10005a7f 7711->7717 7713 10005832 7721 10005848 7713->7721 7715 10005840 _abort 7715->7694 7716->7711 7718 10005ab5 __fassign 7717->7718 7719 10005a8e __fassign 7717->7719 7718->7713 7719->7718 7720 10007cc2 __fassign 20 API calls 7719->7720 7720->7718 7724 100056b9 RtlLeaveCriticalSection 7721->7724 7723 10005852 7723->7715 7724->7723 7726 1000384b ___vcrt_freefls@4 7725->7726 7728 1000382d 7725->7728 7726->7648 7727 1000383b 7730 10003ba2 ___vcrt_FlsSetValue 6 API calls 7727->7730 7728->7727 7731 10003b67 7728->7731 7730->7726 7732 10003a82 try_get_function 5 API calls 7731->7732 7733 10003b81 7732->7733 7734 10003b99 TlsGetValue 7733->7734 7735 10003b8d 7733->7735 7734->7735 7735->7727 7742 10003856 7736->7742 7738 100023f1 7738->7638 7739 100053da 7738->7739 7740 10005b7a _abort 20 API calls 7739->7740 7741 100023fd 7740->7741 7741->7641 7741->7642 7743 10003862 GetLastError 7742->7743 7744 1000385f 7742->7744 7745 10003b67 ___vcrt_FlsGetValue 6 API calls 7743->7745 7744->7738 7746 10003877 7745->7746 7747 100038dc SetLastError 7746->7747 7748 10003ba2 ___vcrt_FlsSetValue 6 API calls 7746->7748 7753 10003896 7746->7753 7747->7738 7749 10003890 7748->7749 7750 100038b8 7749->7750 7751 10003ba2 ___vcrt_FlsSetValue 6 API calls 7749->7751 7749->7753 7752 10003ba2 ___vcrt_FlsSetValue 6 API calls 7750->7752 7750->7753 7751->7750 7752->7753 7753->7747 6129 1000281c 6132 10002882 6129->6132 6135 10003550 6132->6135 6134 1000282a 6136 1000358a 6135->6136 6137 1000355d 6135->6137 6136->6134 6137->6136 6138 100047e5 ___std_exception_copy 21 API calls 6137->6138 6139 1000357a 6138->6139 6139->6136 6141 1000544d 6139->6141 6142 1000545a 6141->6142 6144 10005468 6141->6144 6142->6144 6148 1000547f 6142->6148 6143 10006368 _free 20 API calls 6145 10005470 6143->6145 6144->6143 6150 100062ac 6145->6150 6147 1000547a 6147->6136 6148->6147 6149 10006368 _free 20 API calls 6148->6149 6149->6145 6153 10006231 6150->6153 6152 100062b8 6152->6147 6154 10005b7a _abort 20 API calls 6153->6154 6155 10006247 6154->6155 6156 100062a6 6155->6156 6159 10006255 6155->6159 6164 100062bc IsProcessorFeaturePresent 6156->6164 6158 100062ab 6160 10006231 _abort 26 API calls 6158->6160 6161 10002ada _ValidateLocalCookies 5 API calls 6159->6161 6162 100062b8 6160->6162 6163 1000627c 6161->6163 6162->6152 6163->6152 6165 100062c7 6164->6165 6168 100060e2 6165->6168 6169 100060fe ___scrt_fastfail 6168->6169 6170 1000612a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6169->6170 6173 100061fb ___scrt_fastfail 6170->6173 6171 10002ada _ValidateLocalCookies 5 API calls 6172 10006219 GetCurrentProcess TerminateProcess 6171->6172 6172->6158 6173->6171 7754 10004bdd 7755 10004c08 7754->7755 7756 10004bec 7754->7756 7758 10006d60 51 API calls 7755->7758 7756->7755 7757 10004bf2 7756->7757 7759 10006368 _free 20 API calls 7757->7759 7760 10004c0f GetModuleFileNameA 7758->7760 7761 10004bf7 7759->7761 7762 10004c33 7760->7762 7763 100062ac _abort 26 API calls 7761->7763 7777 10004d01 7762->7777 7764 10004c01 7763->7764 7769 10004c72 7772 10004d01 38 API calls 7769->7772 7770 10004c66 7771 10006368 _free 20 API calls 7770->7771 7776 10004c6b 7771->7776 7774 10004c88 7772->7774 7773 1000571e _free 20 API calls 7773->7764 7775 1000571e _free 20 API calls 7774->7775 7774->7776 7775->7776 7776->7773 7779 10004d26 7777->7779 7781 10004d86 7779->7781 7789 100070eb 7779->7789 7780 10004c50 7783 10004e76 7780->7783 7781->7780 7782 100070eb 38 API calls 7781->7782 7782->7781 7784 10004e8b 7783->7784 7785 10004c5d 7783->7785 7784->7785 7786 1000637b _abort 20 API calls 7784->7786 7785->7769 7785->7770 7787 10004eb9 7786->7787 7788 1000571e _free 20 API calls 7787->7788 7788->7785 7792 10007092 7789->7792 7793 100054a7 __fassign 38 API calls 7792->7793 7794 100070a6 7793->7794 7794->7779 7153 10007260 GetStartupInfoW 7154 10007286 7153->7154 7156 10007318 7153->7156 7154->7156 7159 10008be3 7154->7159 7157 100072af 7157->7156 7158 100072dd GetFileType 7157->7158 7158->7157 7160 10008bef ___DestructExceptionObject 7159->7160 7161 10008c13 7160->7161 7162 10008bfc 7160->7162 7172 10005671 RtlEnterCriticalSection 7161->7172 7163 10006368 _free 20 API calls 7162->7163 7165 10008c01 7163->7165 7166 100062ac _abort 26 API calls 7165->7166 7167 10008c0b _abort 7166->7167 7167->7157 7168 10008c4b 7180 10008c72 7168->7180 7170 10008c1f 7170->7168 7173 10008b34 7170->7173 7172->7170 7174 1000637b _abort 20 API calls 7173->7174 7175 10008b46 7174->7175 7178 10005eb7 11 API calls 7175->7178 7179 10008b53 7175->7179 7176 1000571e _free 20 API calls 7177 10008ba5 7176->7177 7177->7170 7178->7175 7179->7176 7183 100056b9 RtlLeaveCriticalSection 7180->7183 7182 10008c79 7182->7167 7183->7182 7447 100081a0 7448 100081d9 7447->7448 7449 100081dd 7448->7449 7460 10008205 7448->7460 7450 10006368 _free 20 API calls 7449->7450 7451 100081e2 7450->7451 7453 100062ac _abort 26 API calls 7451->7453 7452 10008529 7454 10002ada _ValidateLocalCookies 5 API calls 7452->7454 7455 100081ed 7453->7455 7456 10008536 7454->7456 7457 10002ada _ValidateLocalCookies 5 API calls 7455->7457 7459 100081f9 7457->7459 7460->7452 7461 100080c0 7460->7461 7462 100080db 7461->7462 7463 10002ada _ValidateLocalCookies 5 API calls 7462->7463 7464 10008152 7463->7464 7464->7460 7795 1000a1e0 7798 1000a1fe 7795->7798 7797 1000a1f6 7800 1000a203 7798->7800 7799 1000aa53 21 API calls 7802 1000a42f 7799->7802 7800->7799 7801 1000a298 7800->7801 7801->7797 7802->7797 7184 10009d61 7185 10009d81 7184->7185 7188 10009db8 7185->7188 7187 10009dab 7190 10009dbf 7188->7190 7189 10009e20 7191 1000a90e 7189->7191 7192 1000aa17 21 API calls 7189->7192 7190->7189 7194 10009ddf 7190->7194 7191->7187 7193 10009e6e 7192->7193 7193->7187 7194->7191 7195 1000aa17 21 API calls 7194->7195 7196 1000a93e 7195->7196 7196->7187 7465 100021a1 ___scrt_dllmain_exception_filter 5825 1000c7a7 5826 1000c7be 5825->5826 5830 1000c82c 5825->5830 5826->5830 5837 1000c7e6 GetModuleHandleA 5826->5837 5828 1000c835 GetModuleHandleA 5831 1000c83f 5828->5831 5829 1000c872 5830->5828 5830->5829 5830->5831 5831->5830 5832 1000c85f GetProcAddress 5831->5832 5832->5830 5833 1000c7dd 5833->5830 5833->5831 5834 1000c800 GetProcAddress 5833->5834 5834->5830 5835 1000c80d VirtualProtect 5834->5835 5835->5830 5836 1000c81c VirtualProtect 5835->5836 5836->5830 5838 1000c7ef 5837->5838 5846 1000c82c 5837->5846 5849 1000c803 GetProcAddress 5838->5849 5840 1000c7f4 5843 1000c800 GetProcAddress 5840->5843 5840->5846 5841 1000c872 5842 1000c835 GetModuleHandleA 5845 1000c83f 5842->5845 5844 1000c80d VirtualProtect 5843->5844 5843->5846 5844->5846 5847 1000c81c VirtualProtect 5844->5847 5845->5846 5848 1000c85f GetProcAddress 5845->5848 5846->5841 5846->5842 5846->5845 5847->5846 5848->5846 5850 1000c82c 5849->5850 5851 1000c80d VirtualProtect 5849->5851 5853 1000c872 5850->5853 5854 1000c835 GetModuleHandleA 5850->5854 5851->5850 5852 1000c81c VirtualProtect 5851->5852 5852->5850 5856 1000c83f 5854->5856 5855 1000c85f GetProcAddress 5855->5856 5856->5850 5856->5855 6174 1000742b 6175 10007430 6174->6175 6176 10007453 6175->6176 6178 10008bae 6175->6178 6179 10008bdd 6178->6179 6180 10008bbb 6178->6180 6179->6175 6181 10008bd7 6180->6181 6182 10008bc9 RtlDeleteCriticalSection 6180->6182 6183 1000571e _free 20 API calls 6181->6183 6182->6181 6182->6182 6183->6179 7197 1000ac6b 7198 1000ac84 __startOneArgErrorHandling 7197->7198 7200 1000acad __startOneArgErrorHandling 7198->7200 7201 1000b2f0 7198->7201 7202 1000b329 __startOneArgErrorHandling 7201->7202 7203 1000b5c1 __raise_exc RaiseException 7202->7203 7204 1000b350 __startOneArgErrorHandling 7202->7204 7203->7204 7205 1000b393 7204->7205 7206 1000b36e 7204->7206 7207 1000b8b2 __startOneArgErrorHandling 20 API calls 7205->7207 7212 1000b8e1 7206->7212 7209 1000b38e __startOneArgErrorHandling 7207->7209 7210 10002ada _ValidateLocalCookies 5 API calls 7209->7210 7211 1000b3b7 7210->7211 7211->7200 7213 1000b8f0 7212->7213 7214 1000b964 __startOneArgErrorHandling 7213->7214 7215 1000b90f __startOneArgErrorHandling 7213->7215 7216 1000b8b2 __startOneArgErrorHandling 20 API calls 7214->7216 7217 100078a3 __startOneArgErrorHandling 5 API calls 7215->7217 7220 1000b95d 7216->7220 7218 1000b950 7217->7218 7219 1000b8b2 __startOneArgErrorHandling 20 API calls 7218->7219 7218->7220 7219->7220 7220->7209 7466 100060ac 7467 100060b7 7466->7467 7469 100060dd 7466->7469 7468 100060c7 FreeLibrary 7467->7468 7467->7469 7468->7467 7221 1000506f 7222 10005081 7221->7222 7223 10005087 7221->7223 7224 10005000 20 API calls 7222->7224 7224->7223 6184 10005630 6185 1000563b 6184->6185 6187 10005664 6185->6187 6189 10005660 6185->6189 6190 10005eb7 6185->6190 6197 10005688 6187->6197 6191 10005c45 _abort 5 API calls 6190->6191 6192 10005ede 6191->6192 6193 10005efc InitializeCriticalSectionAndSpinCount 6192->6193 6196 10005ee7 6192->6196 6193->6196 6194 10002ada _ValidateLocalCookies 5 API calls 6195 10005f13 6194->6195 6195->6185 6196->6194 6198 100056b4 6197->6198 6199 10005695 6197->6199 6198->6189 6200 1000569f RtlDeleteCriticalSection 6199->6200 6200->6198 6200->6200 7225 10003370 7236 10003330 7225->7236 7237 10003342 7236->7237 7238 1000334f 7236->7238 7239 10002ada _ValidateLocalCookies 5 API calls 7237->7239 7239->7238 7803 100063f0 7804 10006400 7803->7804 7807 10006416 7803->7807 7805 10006368 _free 20 API calls 7804->7805 7806 10006405 7805->7806 7809 100062ac _abort 26 API calls 7806->7809 7810 10006480 7807->7810 7815 10006561 7807->7815 7822 10006580 7807->7822 7808 10004e76 20 API calls 7811 100064e5 7808->7811 7817 1000640f 7809->7817 7810->7808 7813 100064ee 7811->7813 7819 10006573 7811->7819 7833 100085eb 7811->7833 7814 1000571e _free 20 API calls 7813->7814 7814->7815 7842 1000679a 7815->7842 7820 100062bc _abort 11 API calls 7819->7820 7821 1000657f 7820->7821 7823 1000658c 7822->7823 7823->7823 7824 1000637b _abort 20 API calls 7823->7824 7825 100065ba 7824->7825 7826 100085eb 26 API calls 7825->7826 7827 100065e6 7826->7827 7828 100062bc _abort 11 API calls 7827->7828 7829 10006615 ___scrt_fastfail 7828->7829 7830 100066b6 FindFirstFileExA 7829->7830 7831 10006705 7830->7831 7832 10006580 26 API calls 7831->7832 7836 1000853a 7833->7836 7834 1000854f 7835 10006368 _free 20 API calls 7834->7835 7837 10008554 7834->7837 7841 1000857a 7835->7841 7836->7834 7836->7837 7839 1000858b 7836->7839 7837->7811 7838 100062ac _abort 26 API calls 7838->7837 7839->7837 7840 10006368 _free 20 API calls 7839->7840 7840->7841 7841->7838 7843 100067a4 7842->7843 7844 100067b4 7843->7844 7845 1000571e _free 20 API calls 7843->7845 7846 1000571e _free 20 API calls 7844->7846 7845->7843 7847 100067bb 7846->7847 7847->7817 7240 10009e71 7241 10009e95 7240->7241 7242 10009ee6 7241->7242 7244 10009f71 __startOneArgErrorHandling 7241->7244 7245 10009ef8 7242->7245 7248 1000aa53 7242->7248 7246 1000b2f0 21 API calls 7244->7246 7247 1000acad __startOneArgErrorHandling 7244->7247 7246->7247 7249 1000aa70 RtlDecodePointer 7248->7249 7250 1000aa80 7248->7250 7249->7250 7251 1000ab0d 7250->7251 7254 1000ab02 7250->7254 7256 1000aab7 7250->7256 7251->7254 7255 10006368 _free 20 API calls 7251->7255 7252 10002ada _ValidateLocalCookies 5 API calls 7253 1000ac67 7252->7253 7253->7245 7254->7252 7255->7254 7256->7254 7257 10006368 _free 20 API calls 7256->7257 7257->7254 7474 10003eb3 7475 10005411 38 API calls 7474->7475 7476 10003ebb 7475->7476 6201 1000543d 6202 10005440 6201->6202 6205 100055a8 6202->6205 6216 10007613 6205->6216 6208 100055b8 6210 100055c2 IsProcessorFeaturePresent 6208->6210 6215 100055e0 6208->6215 6212 100055cd 6210->6212 6213 100060e2 _abort 8 API calls 6212->6213 6213->6215 6246 10004bc1 6215->6246 6249 10007581 6216->6249 6219 1000766e 6220 1000767a _abort 6219->6220 6221 10005b7a _abort 20 API calls 6220->6221 6222 100076a1 _abort 6220->6222 6226 100076a7 _abort 6220->6226 6221->6222 6223 100076f3 6222->6223 6222->6226 6245 100076d6 6222->6245 6224 10006368 _free 20 API calls 6223->6224 6225 100076f8 6224->6225 6228 100062ac _abort 26 API calls 6225->6228 6231 1000771f 6226->6231 6263 10005671 RtlEnterCriticalSection 6226->6263 6228->6245 6232 1000777e 6231->6232 6234 10007776 6231->6234 6242 100077a9 6231->6242 6264 100056b9 RtlLeaveCriticalSection 6231->6264 6232->6242 6265 10007665 6232->6265 6237 10004bc1 _abort 28 API calls 6234->6237 6237->6232 6241 10007665 _abort 38 API calls 6241->6242 6268 1000782e 6242->6268 6243 1000780c 6244 10005af6 _abort 38 API calls 6243->6244 6243->6245 6244->6245 6292 1000bdc9 6245->6292 6296 1000499b 6246->6296 6252 10007527 6249->6252 6251 100055ad 6251->6208 6251->6219 6253 10007533 ___DestructExceptionObject 6252->6253 6258 10005671 RtlEnterCriticalSection 6253->6258 6255 10007541 6259 10007575 6255->6259 6257 10007568 _abort 6257->6251 6258->6255 6262 100056b9 RtlLeaveCriticalSection 6259->6262 6261 1000757f 6261->6257 6262->6261 6263->6231 6264->6234 6266 10005af6 _abort 38 API calls 6265->6266 6267 1000766a 6266->6267 6267->6241 6269 10007834 6268->6269 6270 100077fd 6268->6270 6295 100056b9 RtlLeaveCriticalSection 6269->6295 6270->6243 6270->6245 6272 10005af6 GetLastError 6270->6272 6273 10005b12 6272->6273 6274 10005b0c 6272->6274 6276 1000637b _abort 20 API calls 6273->6276 6278 10005b61 SetLastError 6273->6278 6275 10005e08 _abort 11 API calls 6274->6275 6275->6273 6277 10005b24 6276->6277 6279 10005b2c 6277->6279 6280 10005e5e _abort 11 API calls 6277->6280 6278->6243 6281 1000571e _free 20 API calls 6279->6281 6282 10005b41 6280->6282 6283 10005b32 6281->6283 6282->6279 6284 10005b48 6282->6284 6286 10005b6d SetLastError 6283->6286 6285 1000593c _abort 20 API calls 6284->6285 6287 10005b53 6285->6287 6288 100055a8 _abort 35 API calls 6286->6288 6289 1000571e _free 20 API calls 6287->6289 6290 10005b79 6288->6290 6291 10005b5a 6289->6291 6291->6278 6291->6286 6293 10002ada _ValidateLocalCookies 5 API calls 6292->6293 6294 1000bdd4 6293->6294 6294->6294 6295->6270 6297 100049a7 _abort 6296->6297 6304 100049bf 6297->6304 6318 10004af5 GetModuleHandleW 6297->6318 6301 10004a65 6335 10004aa5 6301->6335 6327 10005671 RtlEnterCriticalSection 6304->6327 6306 10004a3c 6308 10004a54 6306->6308 6331 10004669 6306->6331 6307 100049c7 6307->6301 6307->6306 6328 1000527a 6307->6328 6314 10004669 _abort 5 API calls 6308->6314 6309 10004a82 6338 10004ab4 6309->6338 6310 10004aae 6312 1000bdc9 _abort 5 API calls 6310->6312 6317 10004ab3 6312->6317 6314->6301 6319 100049b3 6318->6319 6319->6304 6320 10004b39 GetModuleHandleExW 6319->6320 6321 10004b63 GetProcAddress 6320->6321 6322 10004b78 6320->6322 6321->6322 6323 10004b95 6322->6323 6324 10004b8c FreeLibrary 6322->6324 6325 10002ada _ValidateLocalCookies 5 API calls 6323->6325 6324->6323 6326 10004b9f 6325->6326 6326->6304 6327->6307 6346 10005132 6328->6346 6332 10004698 6331->6332 6333 10002ada _ValidateLocalCookies 5 API calls 6332->6333 6334 100046c1 6333->6334 6334->6308 6368 100056b9 RtlLeaveCriticalSection 6335->6368 6337 10004a7e 6337->6309 6337->6310 6369 10006025 6338->6369 6341 10004ae2 6344 10004b39 _abort 8 API calls 6341->6344 6342 10004ac2 GetPEB 6342->6341 6343 10004ad2 GetCurrentProcess TerminateProcess 6342->6343 6343->6341 6345 10004aea ExitProcess 6344->6345 6349 100050e1 6346->6349 6348 10005156 6348->6306 6350 100050ed ___DestructExceptionObject 6349->6350 6357 10005671 RtlEnterCriticalSection 6350->6357 6352 100050fb 6358 1000515a 6352->6358 6356 10005119 _abort 6356->6348 6357->6352 6361 10005182 6358->6361 6362 1000517a 6358->6362 6359 10002ada _ValidateLocalCookies 5 API calls 6360 10005108 6359->6360 6364 10005126 6360->6364 6361->6362 6363 1000571e _free 20 API calls 6361->6363 6362->6359 6363->6362 6367 100056b9 RtlLeaveCriticalSection 6364->6367 6366 10005130 6366->6356 6367->6366 6368->6337 6370 10006040 6369->6370 6371 1000604a 6369->6371 6373 10002ada _ValidateLocalCookies 5 API calls 6370->6373 6372 10005c45 _abort 5 API calls 6371->6372 6372->6370 6374 10004abe 6373->6374 6374->6341 6374->6342 6375 10001f3f 6376 10001f4b ___DestructExceptionObject 6375->6376 6393 1000247c 6376->6393 6378 10001f52 6379 10002041 6378->6379 6380 10001f7c 6378->6380 6387 10001f57 ___scrt_is_nonwritable_in_current_image 6378->6387 6416 10002639 IsProcessorFeaturePresent 6379->6416 6404 100023de 6380->6404 6383 10002048 6384 10001f8b __RTC_Initialize 6384->6387 6407 100022fc RtlInitializeSListHead 6384->6407 6386 10001f99 ___scrt_initialize_default_local_stdio_options 6408 100046c5 6386->6408 6391 10001fb8 6391->6387 6392 10004669 _abort 5 API calls 6391->6392 6392->6387 6394 10002485 6393->6394 6420 10002933 IsProcessorFeaturePresent 6394->6420 6398 1000249a 6398->6378 6399 10002496 6399->6398 6431 100053c8 6399->6431 6402 100024b1 6402->6378 6505 100024b5 6404->6505 6406 100023e5 6406->6384 6407->6386 6409 100046dc 6408->6409 6410 10002ada _ValidateLocalCookies 5 API calls 6409->6410 6411 10001fad 6410->6411 6411->6387 6412 100023b3 6411->6412 6413 100023b8 ___scrt_release_startup_lock 6412->6413 6414 10002933 ___isa_available_init IsProcessorFeaturePresent 6413->6414 6415 100023c1 6413->6415 6414->6415 6415->6391 6417 1000264e ___scrt_fastfail 6416->6417 6418 100026f9 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6417->6418 6419 10002744 ___scrt_fastfail 6418->6419 6419->6383 6421 10002491 6420->6421 6422 100034ea 6421->6422 6423 100034ef ___vcrt_initialize_winapi_thunks 6422->6423 6442 10003936 6423->6442 6427 10003505 6428 10003510 6427->6428 6456 10003972 6427->6456 6428->6399 6430 100034fd 6430->6399 6497 10007457 6431->6497 6434 10003529 6435 10003532 6434->6435 6436 10003543 6434->6436 6437 1000391b ___vcrt_uninitialize_ptd 6 API calls 6435->6437 6436->6398 6438 10003537 6437->6438 6439 10003972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 6438->6439 6440 1000353c 6439->6440 6501 10003c50 6440->6501 6443 1000393f 6442->6443 6445 10003968 6443->6445 6446 100034f9 6443->6446 6460 10003be0 6443->6460 6447 10003972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 6445->6447 6446->6430 6448 100038e8 6446->6448 6447->6446 6478 10003af1 6448->6478 6451 100038fd 6451->6427 6454 10003918 6454->6427 6457 1000399c 6456->6457 6458 1000397d 6456->6458 6457->6430 6459 10003987 RtlDeleteCriticalSection 6458->6459 6459->6457 6459->6459 6465 10003a82 6460->6465 6462 10003bfa 6463 10003c18 InitializeCriticalSectionAndSpinCount 6462->6463 6464 10003c03 6462->6464 6463->6464 6464->6443 6466 10003aa6 __crt_fast_encode_pointer 6465->6466 6467 10003aaa 6465->6467 6466->6462 6467->6466 6471 100039be 6467->6471 6470 10003ac4 GetProcAddress 6470->6466 6476 100039cd try_get_first_available_module 6471->6476 6472 10003a77 6472->6466 6472->6470 6473 100039ea LoadLibraryExW 6474 10003a05 GetLastError 6473->6474 6473->6476 6474->6476 6475 10003a60 FreeLibrary 6475->6476 6476->6472 6476->6473 6476->6475 6477 10003a38 LoadLibraryExW 6476->6477 6477->6476 6479 10003a82 try_get_function 5 API calls 6478->6479 6480 10003b0b 6479->6480 6481 10003b24 TlsAlloc 6480->6481 6482 100038f2 6480->6482 6482->6451 6483 10003ba2 6482->6483 6484 10003a82 try_get_function 5 API calls 6483->6484 6485 10003bbc 6484->6485 6486 10003bd7 TlsSetValue 6485->6486 6487 1000390b 6485->6487 6486->6487 6487->6454 6488 1000391b 6487->6488 6489 1000392b 6488->6489 6490 10003925 6488->6490 6489->6451 6492 10003b2c 6490->6492 6493 10003a82 try_get_function 5 API calls 6492->6493 6494 10003b46 6493->6494 6495 10003b5e TlsFree 6494->6495 6496 10003b52 6494->6496 6495->6496 6496->6489 6500 10007470 6497->6500 6498 10002ada _ValidateLocalCookies 5 API calls 6499 100024a3 6498->6499 6499->6402 6499->6434 6500->6498 6502 10003c7f 6501->6502 6503 10003c59 6501->6503 6502->6436 6503->6502 6504 10003c69 FreeLibrary 6503->6504 6504->6503 6506 100024c4 6505->6506 6507 100024c8 6505->6507 6506->6406 6508 10002639 ___scrt_fastfail 4 API calls 6507->6508 6510 100024d5 ___scrt_release_startup_lock 6507->6510 6509 10002559 6508->6509 6510->6406 7477 100067bf 7482 100067f4 7477->7482 7480 100067db 7481 1000571e _free 20 API calls 7481->7480 7483 10006806 7482->7483 7492 100067cd 7482->7492 7484 10006836 7483->7484 7485 1000680b 7483->7485 7484->7492 7493 100071d6 7484->7493 7486 1000637b _abort 20 API calls 7485->7486 7488 10006814 7486->7488 7489 1000571e _free 20 API calls 7488->7489 7489->7492 7490 10006851 7491 1000571e _free 20 API calls 7490->7491 7491->7492 7492->7480 7492->7481 7494 100071e1 7493->7494 7495 10007209 7494->7495 7496 100071fa 7494->7496 7499 10007218 7495->7499 7502 10008a98 7495->7502 7497 10006368 _free 20 API calls 7496->7497 7501 100071ff ___scrt_fastfail 7497->7501 7509 10008acb 7499->7509 7501->7490 7503 10008aa3 7502->7503 7504 10008ab8 RtlSizeHeap 7502->7504 7505 10006368 _free 20 API calls 7503->7505 7504->7499 7506 10008aa8 7505->7506 7507 100062ac _abort 26 API calls 7506->7507 7508 10008ab3 7507->7508 7508->7499 7510 10008ae3 7509->7510 7511 10008ad8 7509->7511 7513 10008aeb 7510->7513 7519 10008af4 _abort 7510->7519 7512 100056d0 21 API calls 7511->7512 7518 10008ae0 7512->7518 7516 1000571e _free 20 API calls 7513->7516 7514 10008af9 7517 10006368 _free 20 API calls 7514->7517 7515 10008b1e RtlReAllocateHeap 7515->7518 7515->7519 7516->7518 7517->7518 7518->7501 7519->7514 7519->7515 7520 1000474f _abort 7 API calls 7519->7520 7520->7519 7848 10005bff 7856 10005d5c 7848->7856 7851 10005c13 7852 10005b7a _abort 20 API calls 7853 10005c1b 7852->7853 7854 10005c28 7853->7854 7855 10005c2b 11 API calls 7853->7855 7855->7851 7857 10005c45 _abort 5 API calls 7856->7857 7858 10005d83 7857->7858 7859 10005d9b TlsAlloc 7858->7859 7860 10005d8c 7858->7860 7859->7860 7861 10002ada _ValidateLocalCookies 5 API calls 7860->7861 7862 10005c09 7861->7862 7862->7851 7862->7852

                                      Executed Functions

                                      Function 100010F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                      • lstrcatW.KERNEL32(?,?), ref: 10001151
                                      • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                      • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                      • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                      • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                      • FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                      • FindClose.KERNELBASE(00000000), ref: 100011DB
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3683473510.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000009.00000002.3683368691.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000009.00000002.3683473510.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_10000000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                      • String ID:
                                      • API String ID: 1083526818-0
                                      • Opcode ID: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                      • Instruction ID: 89aa6ca17049c9a574106098fd68ded4b08ae6dd255c3979a52dcbc6bb9ed716
                                      • Opcode Fuzzy Hash: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                      • Instruction Fuzzy Hash: D22193715043586BE714EB649C49FDF7BDCEF84394F00092AFA58D3190E770D64487A6
                                      Function 100012EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 10001434
                                        • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                        • Part of subcall function 100010F1: lstrcatW.KERNEL32(?,?), ref: 10001151
                                        • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                        • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                        • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                        • Part of subcall function 100010F1: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                        • Part of subcall function 100010F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                        • Part of subcall function 100010F1: FindClose.KERNELBASE(00000000), ref: 100011DB
                                      • lstrlenW.KERNEL32(?), ref: 100014C5
                                      • lstrlenW.KERNEL32(?), ref: 100014E0
                                      • lstrlenW.KERNEL32(?,?), ref: 1000150F
                                      • lstrcatW.KERNEL32(00000000), ref: 10001521
                                      • lstrlenW.KERNEL32(?,?), ref: 10001547
                                      • lstrcatW.KERNEL32(00000000), ref: 10001553
                                      • lstrlenW.KERNEL32(?,?), ref: 10001579
                                      • lstrcatW.KERNEL32(00000000), ref: 10001585
                                      • lstrlenW.KERNEL32(?,?), ref: 100015AB
                                      • lstrcatW.KERNEL32(00000000), ref: 100015B7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3683473510.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000009.00000002.3683368691.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000009.00000002.3683473510.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_10000000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                      • String ID: )$Foxmail$ProgramFiles
                                      • API String ID: 672098462-2938083778
                                      • Opcode ID: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                      • Instruction ID: 44b728d421a24f1832cbc0053e0d9d9aefaca4d51113d01ad6b93c48f87fe4b0
                                      • Opcode Fuzzy Hash: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                      • Instruction Fuzzy Hash: 4081A475A40358A9EB30D7A0DC86FDE7379EF84740F00059AF608EB191EBB16AC5CB95
                                      Function 1000C7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                      • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                        • Part of subcall function 1000C803: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                        • Part of subcall function 1000C803: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                        • Part of subcall function 1000C803: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3683473510.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000009.00000002.3683368691.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000009.00000002.3683473510.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_10000000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: AddressHandleModuleProcProtectVirtual
                                      • String ID:
                                      • API String ID: 2099061454-0
                                      • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                      • Instruction ID: 210348daefc771ff09e919cc38fdfa0d839c8297c2798a32150270056baeab90
                                      • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                      • Instruction Fuzzy Hash: 0301D22094574A38BA51D7B40C06EBA5FD8DB176E0B24D756F1408619BDDA08906C3AE
                                      Function 1000C7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 79 1000c7a7-1000c7bc 80 1000c82d 79->80 81 1000c7be-1000c7c6 79->81 83 1000c82f-1000c833 80->83 81->80 82 1000c7c8-1000c7f6 call 1000c7e6 81->82 91 1000c7f8 82->91 92 1000c86c-1000c86e 82->92 85 1000c872 call 1000c877 83->85 86 1000c835-1000c83d GetModuleHandleA 83->86 89 1000c83f-1000c847 86->89 89->89 90 1000c849-1000c84c 89->90 90->83 93 1000c84e-1000c850 90->93 96 1000c7fa-1000c7fe 91->96 97 1000c85b-1000c85e 91->97 94 1000c870 92->94 95 1000c866-1000c86b 92->95 98 1000c852-1000c854 93->98 99 1000c856-1000c85a 93->99 94->90 95->92 102 1000c865 96->102 103 1000c800-1000c80b GetProcAddress 96->103 100 1000c85f-1000c860 GetProcAddress 97->100 98->100 99->97 100->102 102->95 103->80 104 1000c80d-1000c81a VirtualProtect 103->104 105 1000c82c 104->105 106 1000c81c-1000c82a VirtualProtect 104->106 105->80 106->105
                                      APIs
                                      • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                        • Part of subcall function 1000C7E6: GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                        • Part of subcall function 1000C7E6: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                        • Part of subcall function 1000C7E6: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                        • Part of subcall function 1000C7E6: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3683473510.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000009.00000002.3683368691.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000009.00000002.3683473510.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_10000000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: AddressHandleModuleProcProtectVirtual
                                      • String ID:
                                      • API String ID: 2099061454-0
                                      • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                      • Instruction ID: abaa11d5974e3e1b05dfd32ec0224f7ddc3d76465740e120717e363e7a178845
                                      • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                      • Instruction Fuzzy Hash: A921382140838A6FF711CBB44C05FA67FD8DB172E0F198696E040CB147DDA89845C3AE
                                      Function 1000C803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 107 1000c803-1000c80b GetProcAddress 108 1000c82d 107->108 109 1000c80d-1000c81a VirtualProtect 107->109 112 1000c82f-1000c833 108->112 110 1000c82c 109->110 111 1000c81c-1000c82a VirtualProtect 109->111 110->108 111->110 113 1000c872 call 1000c877 112->113 114 1000c835-1000c83d GetModuleHandleA 112->114 116 1000c83f-1000c847 114->116 116->116 117 1000c849-1000c84c 116->117 117->112 118 1000c84e-1000c850 117->118 119 1000c852-1000c854 118->119 120 1000c856-1000c85e 118->120 121 1000c85f-1000c865 GetProcAddress 119->121 120->121 124 1000c866-1000c86e 121->124 126 1000c870 124->126 126->117
                                      APIs
                                      • GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                      • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                      • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                      • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3683473510.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000009.00000002.3683368691.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000009.00000002.3683473510.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_10000000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: AddressProcProtectVirtual$HandleModule
                                      • String ID:
                                      • API String ID: 2152742572-0
                                      • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                      • Instruction ID: 9138b94afbcae90e12a8614b592989542e7cb6e8cba5f1d72008c399686a5f74
                                      • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                      • Instruction Fuzzy Hash: B7F0C2619497893CFA21C7B40C45EBA5FCCCB276E0B249A56F600C718BDCA5890693FE

                                      Non-executed Functions

                                      Function 100060E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 100061DA
                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 100061E4
                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 100061F1
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3683473510.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000009.00000002.3683368691.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000009.00000002.3683473510.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_10000000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                      • String ID:
                                      • API String ID: 3906539128-0
                                      • Opcode ID: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                      • Instruction ID: da4494ed88e82f72bec2981ffd8ad716d5acf317cb547f21db02b9c2842d332f
                                      • Opcode Fuzzy Hash: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                      • Instruction Fuzzy Hash: 4A31D37490122C9BEB21DF24DD88B8DBBB8EF08350F5041DAE81CA7265E7709F818F55
                                      Function 10004AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004AD5
                                      • TerminateProcess.KERNEL32(00000000,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004ADC
                                      • ExitProcess.KERNEL32 ref: 10004AEE
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3683473510.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000009.00000002.3683368691.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000009.00000002.3683473510.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_10000000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Process$CurrentExitTerminate
                                      • String ID:
                                      • API String ID: 1703294689-0
                                      • Opcode ID: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                      • Instruction ID: 67c7ca3480f18a9b01e05da0926f82de4ad888d39fdd55e1be860e0f4a97641b
                                      • Opcode Fuzzy Hash: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                      • Instruction Fuzzy Hash: 04E04676000218AFEF01BF25CD48B493B6AEF013C1F128010F9088B029CB35ED52CA68
                                      Function 10006580 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3683473510.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000009.00000002.3683368691.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000009.00000002.3683473510.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_10000000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: .
                                      • API String ID: 0-248832578
                                      • Opcode ID: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                                      • Instruction ID: 9046c4836333a0efab45ea1e09b7d9ff5bbd95f87beecc7c41f4b92e1cb642f0
                                      • Opcode Fuzzy Hash: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                                      • Instruction Fuzzy Hash: 45313771800159AFEB14CF74CC84EEA7BBEDB49384F200198F81997259E6319E448B60
                                      Function 1000724E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3683473510.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000009.00000002.3683368691.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000009.00000002.3683473510.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_10000000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: HeapProcess
                                      • String ID:
                                      • API String ID: 54951025-0
                                      • Opcode ID: 460c158515a4b2323efe0f0dc9aa5714cfdfaf7ec70cb60f3b96f32d1927db1d
                                      • Instruction ID: 1e6cba0042ebf2c12c09a4b69519b161692f08ba8376aa17aabccb2fe2e68a66
                                      • Opcode Fuzzy Hash: 460c158515a4b2323efe0f0dc9aa5714cfdfaf7ec70cb60f3b96f32d1927db1d
                                      • Instruction Fuzzy Hash: 81A01130A002228FE3208F308A8A30E3AACAA002C0B00803AE80CC0028EB30C0028B00
                                      Function 1000173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 136 1000173a-100017fe call 1000c030 call 10002c40 * 2 143 10001803 call 10001cca 136->143 144 10001808-1000180c 143->144 145 10001812-10001816 144->145 146 100019ad-100019b1 144->146 145->146 147 1000181c-10001837 call 10001ede 145->147 150 1000183d-10001845 147->150 151 1000199f-100019ac call 10001ee7 * 2 147->151 153 10001982-10001985 150->153 154 1000184b-1000184e 150->154 151->146 156 10001995-10001999 153->156 157 10001987 153->157 154->153 158 10001854-10001881 call 100044b0 * 2 call 10001db7 154->158 156->150 156->151 161 1000198a-1000198d call 10002c40 157->161 170 10001887-1000189f call 100044b0 call 10001db7 158->170 171 1000193d-10001943 158->171 166 10001992 161->166 166->156 170->171 187 100018a5-100018a8 170->187 172 10001945-10001947 171->172 173 1000197e-10001980 171->173 172->173 175 10001949-1000194b 172->175 173->161 177 10001961-1000197c call 100016aa 175->177 178 1000194d-1000194f 175->178 177->166 180 10001951-10001953 178->180 181 10001955-10001957 178->181 180->177 180->181 184 10001959-1000195b 181->184 185 1000195d-1000195f 181->185 184->177 184->185 185->173 185->177 188 100018c4-100018dc call 100044b0 call 10001db7 187->188 189 100018aa-100018c2 call 100044b0 call 10001db7 187->189 188->156 198 100018e2-1000193b call 100016aa call 100015da call 10002c40 * 2 188->198 189->188 189->198 198->156
                                      APIs
                                        • Part of subcall function 10001CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                        • Part of subcall function 10001CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                        • Part of subcall function 10001CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                      • _strlen.LIBCMT ref: 10001855
                                      • _strlen.LIBCMT ref: 10001869
                                      • _strlen.LIBCMT ref: 1000188B
                                      • _strlen.LIBCMT ref: 100018AE
                                      • _strlen.LIBCMT ref: 100018C8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3683473510.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000009.00000002.3683368691.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000009.00000002.3683473510.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_10000000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _strlen$File$CopyCreateDelete
                                      • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                      • API String ID: 3296212668-3023110444
                                      • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                      • Instruction ID: bb93a2ec4ecc4c0c7ac40ef0fbf5621e946fdf476ba73097d2750e43d9e064ca
                                      • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                      • Instruction Fuzzy Hash: 69612475D04218ABFF11CBE4C851BDEB7F9EF45280F00409AE604A7299EF706A45CF96
                                      Function 100019B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3683473510.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000009.00000002.3683368691.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000009.00000002.3683473510.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_10000000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _strlen
                                      • String ID: %m$~$Gon~$~F@7$~dra
                                      • API String ID: 4218353326-230879103
                                      • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                      • Instruction ID: 2a57ee3bda34e0ca62253b4f9cdd28a92c7aa5ebcaa9e167bfd7dd38749d7a78
                                      • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                      • Instruction Fuzzy Hash: 9371F5B5D002685BEF11DBB49895BDF7BFCDB05280F104096E644D7246EB74EB85CBA0
                                      Function 10007CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 276 10007cc2-10007cd6 277 10007d44-10007d4c 276->277 278 10007cd8-10007cdd 276->278 280 10007d93-10007dab call 10007e35 277->280 281 10007d4e-10007d51 277->281 278->277 279 10007cdf-10007ce4 278->279 279->277 282 10007ce6-10007ce9 279->282 290 10007dae-10007db5 280->290 281->280 284 10007d53-10007d90 call 1000571e * 4 281->284 282->277 285 10007ceb-10007cf3 282->285 284->280 288 10007cf5-10007cf8 285->288 289 10007d0d-10007d15 285->289 288->289 292 10007cfa-10007d0c call 1000571e call 100090ba 288->292 295 10007d17-10007d1a 289->295 296 10007d2f-10007d43 call 1000571e * 2 289->296 293 10007dd4-10007dd8 290->293 294 10007db7-10007dbb 290->294 292->289 298 10007df0-10007dfc 293->298 299 10007dda-10007ddf 293->299 302 10007dd1 294->302 303 10007dbd-10007dc0 294->303 295->296 304 10007d1c-10007d2e call 1000571e call 100091b8 295->304 296->277 298->290 311 10007dfe-10007e0b call 1000571e 298->311 308 10007de1-10007de4 299->308 309 10007ded 299->309 302->293 303->302 313 10007dc2-10007dd0 call 1000571e * 2 303->313 304->296 308->309 316 10007de6-10007dec call 1000571e 308->316 309->298 313->302 316->309
                                      APIs
                                      • ___free_lconv_mon.LIBCMT ref: 10007D06
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 100090D7
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 100090E9
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 100090FB
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 1000910D
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 1000911F
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 10009131
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 10009143
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 10009155
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 10009167
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 10009179
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 1000918B
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 1000919D
                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 100091AF
                                      • _free.LIBCMT ref: 10007CFB
                                        • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                        • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                      • _free.LIBCMT ref: 10007D1D
                                      • _free.LIBCMT ref: 10007D32
                                      • _free.LIBCMT ref: 10007D3D
                                      • _free.LIBCMT ref: 10007D5F
                                      • _free.LIBCMT ref: 10007D72
                                      • _free.LIBCMT ref: 10007D80
                                      • _free.LIBCMT ref: 10007D8B
                                      • _free.LIBCMT ref: 10007DC3
                                      • _free.LIBCMT ref: 10007DCA
                                      • _free.LIBCMT ref: 10007DE7
                                      • _free.LIBCMT ref: 10007DFF
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3683473510.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000009.00000002.3683368691.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000009.00000002.3683473510.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_10000000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                      • String ID:
                                      • API String ID: 161543041-0
                                      • Opcode ID: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                      • Instruction ID: 6de9b84f5b51ee4e35cbeb1ed48e08772f21b212059d2ac72beb9c863e9ed859
                                      • Opcode Fuzzy Hash: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                      • Instruction Fuzzy Hash: 90313931A04645EFFB21DA38E941B6A77FAFF002D1F11446AE84DDB159DE3ABC809B14
                                      Function 100059D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • _free.LIBCMT ref: 100059EA
                                        • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                        • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                      • _free.LIBCMT ref: 100059F6
                                      • _free.LIBCMT ref: 10005A01
                                      • _free.LIBCMT ref: 10005A0C
                                      • _free.LIBCMT ref: 10005A17
                                      • _free.LIBCMT ref: 10005A22
                                      • _free.LIBCMT ref: 10005A2D
                                      • _free.LIBCMT ref: 10005A38
                                      • _free.LIBCMT ref: 10005A43
                                      • _free.LIBCMT ref: 10005A51
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3683473510.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000009.00000002.3683368691.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000009.00000002.3683473510.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_10000000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                      • Instruction ID: 60753d52f1e9cb5801f9add085180c5dd3fc305f79823ad6bc57240ee419c635
                                      • Opcode Fuzzy Hash: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                      • Instruction Fuzzy Hash: BE11B97E514548FFEB11DF58D842CDE3FA9EF04291B4540A1BD088F12ADA32EE50AB84
                                      Function 10001CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                      • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D58
                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D72
                                      • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D7D
                                      • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D8A
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3683473510.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000009.00000002.3683368691.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000009.00000002.3683473510.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_10000000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                      • String ID:
                                      • API String ID: 1454806937-0
                                      • Opcode ID: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                      • Instruction ID: 3114db45d92e83daf92c47a85baf70c14dd0292bf94a6379629bf72341f68b19
                                      • Opcode Fuzzy Hash: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                      • Instruction Fuzzy Hash: 2221FCB594122CAFF710EBA08CCCFEF76ACEB08395F010566F515D2154D6709E458A70
                                      Function 10009492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 377 10009492-100094ef GetConsoleCP 378 10009632-10009644 call 10002ada 377->378 379 100094f5-10009511 377->379 381 10009513-1000952a 379->381 382 1000952c-1000953d call 10007c19 379->382 384 10009566-10009575 call 100079e6 381->384 389 10009563-10009565 382->389 390 1000953f-10009542 382->390 384->378 391 1000957b-1000959b WideCharToMultiByte 384->391 389->384 392 10009548-1000955a call 100079e6 390->392 393 10009609-10009628 390->393 391->378 394 100095a1-100095b7 WriteFile 391->394 392->378 399 10009560-10009561 392->399 393->378 396 100095b9-100095ca 394->396 397 1000962a-10009630 GetLastError 394->397 396->378 400 100095cc-100095d0 396->400 397->378 399->391 401 100095d2-100095f0 WriteFile 400->401 402 100095fe-10009601 400->402 401->397 403 100095f2-100095f6 401->403 402->379 404 10009607 402->404 403->378 405 100095f8-100095fb 403->405 404->378 405->402
                                      APIs
                                      • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,10009C07,?,00000000,?,00000000,00000000), ref: 100094D4
                                      • __fassign.LIBCMT ref: 1000954F
                                      • __fassign.LIBCMT ref: 1000956A
                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 10009590
                                      • WriteFile.KERNEL32(?,?,00000000,10009C07,00000000,?,?,?,?,?,?,?,?,?,10009C07,?), ref: 100095AF
                                      • WriteFile.KERNEL32(?,?,00000001,10009C07,00000000,?,?,?,?,?,?,?,?,?,10009C07,?), ref: 100095E8
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3683473510.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000009.00000002.3683368691.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000009.00000002.3683473510.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_10000000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                      • String ID:
                                      • API String ID: 1324828854-0
                                      • Opcode ID: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                      • Instruction ID: 7b1e32e7ca62d622bc6abd4954a79b3a1191cf35157f5551c2bc05612337e78d
                                      • Opcode Fuzzy Hash: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                      • Instruction Fuzzy Hash: D7519271D00249AFEB10CFA4CC95BDEBBF8EF09350F15811AE955E7295D731AA41CB60
                                      Function 10003370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 406 10003370-100033b5 call 10003330 call 100037a7 411 10003416-10003419 406->411 412 100033b7-100033c9 406->412 413 10003439-10003442 411->413 414 1000341b-10003428 call 10003790 411->414 412->413 415 100033cb 412->415 418 1000342d-10003436 call 10003330 414->418 417 100033d0-100033e7 415->417 419 100033e9-100033f7 call 10003740 417->419 420 100033fd 417->420 418->413 427 100033f9 419->427 428 1000340d-10003414 419->428 421 10003400-10003405 420->421 421->417 424 10003407-10003409 421->424 424->413 429 1000340b 424->429 430 10003443-1000344c 427->430 431 100033fb 427->431 428->418 429->418 432 10003486-10003496 call 10003774 430->432 433 1000344e-10003455 430->433 431->421 439 10003498-100034a7 call 10003790 432->439 440 100034aa-100034c6 call 10003330 call 10003758 432->440 433->432 434 10003457-10003466 call 1000bbe0 433->434 442 10003483 434->442 443 10003468-10003480 434->443 439->440 442->432 443->442
                                      APIs
                                      • _ValidateLocalCookies.LIBCMT ref: 1000339B
                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 100033A3
                                      • _ValidateLocalCookies.LIBCMT ref: 10003431
                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 1000345C
                                      • _ValidateLocalCookies.LIBCMT ref: 100034B1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3683473510.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000009.00000002.3683368691.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000009.00000002.3683473510.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_10000000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                      • String ID: csm
                                      • API String ID: 1170836740-1018135373
                                      • Opcode ID: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                      • Instruction ID: 0a936c430148d26a69835db3fa9f683d01d5328c1142e13f0191aacd949c771e
                                      • Opcode Fuzzy Hash: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                      • Instruction Fuzzy Hash: D141D678E042189BEB12CF68C880A9FBBF9EF453A4F10C155E9159F25AD731FA01CB91
                                      Function 1000925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 10009221: _free.LIBCMT ref: 1000924A
                                      • _free.LIBCMT ref: 100092AB
                                        • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                        • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                      • _free.LIBCMT ref: 100092B6
                                      • _free.LIBCMT ref: 100092C1
                                      • _free.LIBCMT ref: 10009315
                                      • _free.LIBCMT ref: 10009320
                                      • _free.LIBCMT ref: 1000932B
                                      • _free.LIBCMT ref: 10009336
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3683473510.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000009.00000002.3683368691.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000009.00000002.3683473510.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_10000000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                      • Instruction ID: 62dea9ede071ec04ae7e8d39c2d2a9b8d59ba4565e42afa4a1a73bd13a3591d1
                                      • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                      • Instruction Fuzzy Hash: 3E118E35548B08FAFA20EBB0EC47FCB7B9DEF04780F400824BA9DB6097DA25B5249751
                                      Function 10008821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 488 10008821-1000883a 489 10008850-10008855 488->489 490 1000883c-1000884c call 10009341 488->490 491 10008862-10008886 MultiByteToWideChar 489->491 492 10008857-1000885f 489->492 490->489 500 1000884e 490->500 494 10008a19-10008a2c call 10002ada 491->494 495 1000888c-10008898 491->495 492->491 497 1000889a-100088ab 495->497 498 100088ec 495->498 501 100088ca-100088db call 100056d0 497->501 502 100088ad-100088bc call 1000bf20 497->502 504 100088ee-100088f0 498->504 500->489 506 10008a0e 501->506 516 100088e1 501->516 502->506 515 100088c2-100088c8 502->515 505 100088f6-10008909 MultiByteToWideChar 504->505 504->506 505->506 509 1000890f-1000892a call 10005f19 505->509 510 10008a10-10008a17 call 10008801 506->510 509->506 520 10008930-10008937 509->520 510->494 519 100088e7-100088ea 515->519 516->519 519->504 521 10008971-1000897d 520->521 522 10008939-1000893e 520->522 524 100089c9 521->524 525 1000897f-10008990 521->525 522->510 523 10008944-10008946 522->523 523->506 526 1000894c-10008966 call 10005f19 523->526 527 100089cb-100089cd 524->527 528 10008992-100089a1 call 1000bf20 525->528 529 100089ab-100089bc call 100056d0 525->529 526->510 543 1000896c 526->543 532 10008a07-10008a0d call 10008801 527->532 533 100089cf-100089e8 call 10005f19 527->533 528->532 541 100089a3-100089a9 528->541 529->532 542 100089be 529->542 532->506 533->532 546 100089ea-100089f1 533->546 545 100089c4-100089c7 541->545 542->545 543->506 545->527 547 100089f3-100089f4 546->547 548 10008a2d-10008a33 546->548 549 100089f5-10008a05 WideCharToMultiByte 547->549 548->549 549->532 550 10008a35-10008a3c call 10008801 549->550 550->510
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,10006FFD,00000000,?,?,?,10008A72,?,?,00000100), ref: 1000887B
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,10008A72,?,?,00000100,5EFC4D8B,?,?), ref: 10008901
                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 100089FB
                                      • __freea.LIBCMT ref: 10008A08
                                        • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                      • __freea.LIBCMT ref: 10008A11
                                      • __freea.LIBCMT ref: 10008A36
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3683473510.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000009.00000002.3683368691.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000009.00000002.3683473510.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_10000000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide__freea$AllocateHeap
                                      • String ID:
                                      • API String ID: 1414292761-0
                                      • Opcode ID: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                      • Instruction ID: 3f57ce737592ef9202bcebfaa3f65c0582e3f3231b4dd00ae19a895c9b397c34
                                      • Opcode Fuzzy Hash: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                      • Instruction Fuzzy Hash: 4F51CF72710216ABFB15CF60CC85EAB37A9FB417D0F11462AFC44D6148EB35EE509BA1
                                      Function 100015DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _strlen.LIBCMT ref: 10001607
                                      • _strcat.LIBCMT ref: 1000161D
                                      • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,1000190E,?,?,00000000,?,00000000), ref: 10001643
                                      • lstrcatW.KERNEL32(?,?), ref: 1000165A
                                      • lstrlenW.KERNEL32(?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 10001661
                                      • lstrcatW.KERNEL32(00001008,?), ref: 10001686
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3683473510.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000009.00000002.3683368691.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000009.00000002.3683473510.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_10000000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: lstrcatlstrlen$_strcat_strlen
                                      • String ID:
                                      • API String ID: 1922816806-0
                                      • Opcode ID: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                      • Instruction ID: a267a6945d1554df97f4c8e17fbec8689bbb0548aac84132402ab8fad08d9bbc
                                      • Opcode Fuzzy Hash: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                      • Instruction Fuzzy Hash: 9821A776900204ABEB05DBA4DC85FEE77B8EF88750F24401BF604AB185DF34B94587A9
                                      Function 10001000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrcatW.KERNEL32(?,?), ref: 10001038
                                      • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 1000104B
                                      • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 10001061
                                      • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 10001075
                                      • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 10001090
                                      • lstrlenW.KERNEL32(?,?,?,00000000), ref: 100010B8
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3683473510.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000009.00000002.3683368691.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000009.00000002.3683473510.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_10000000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: lstrlen$AttributesFilelstrcat
                                      • String ID:
                                      • API String ID: 3594823470-0
                                      • Opcode ID: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                      • Instruction ID: f5da6160d3db499da992451a69b84f141dc83571de07cfa19ff2ab3d93a8fd2c
                                      • Opcode Fuzzy Hash: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                      • Instruction Fuzzy Hash: DB21E5359003289BEF10DBA0DC48EDF37B8EF44294F104556E999931A6DE709EC5CF50
                                      Function 10003856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,10003518,100023F1,10001F17), ref: 10003864
                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10003872
                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1000388B
                                      • SetLastError.KERNEL32(00000000,?,10003518,100023F1,10001F17), ref: 100038DD
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3683473510.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000009.00000002.3683368691.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000009.00000002.3683473510.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_10000000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ErrorLastValue___vcrt_
                                      • String ID:
                                      • API String ID: 3852720340-0
                                      • Opcode ID: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                      • Instruction ID: 2a33bd680f99e964f7cdf1ea0b0e713dcb61597015083b2077453114c578dac0
                                      • Opcode Fuzzy Hash: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                      • Instruction Fuzzy Hash: 0F012432608B225EF207D7796CCAA0B2BDDDB096F9B20C27AF510940E9EF219C009300
                                      Function 10005AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                                      • _free.LIBCMT ref: 10005B2D
                                      • _free.LIBCMT ref: 10005B55
                                      • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B62
                                      • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                                      • _abort.LIBCMT ref: 10005B74
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3683473510.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000009.00000002.3683368691.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000009.00000002.3683473510.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_10000000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ErrorLast$_free$_abort
                                      • String ID:
                                      • API String ID: 3160817290-0
                                      • Opcode ID: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                      • Instruction ID: 6ab9c425fee0725613b21b3b36aaf5e4259b246f4cabca8c388d0d7fb541d563
                                      • Opcode Fuzzy Hash: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                      • Instruction Fuzzy Hash: 8FF0A47A508911AAF212E3346C4AF0F36AACBC55E3F264125F918A619DFF27B9024174
                                      Function 100011EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                        • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,?), ref: 10001EAC
                                        • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                        • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                        • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,100010DF), ref: 10001ED3
                                      • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 1000122A
                                        • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001855
                                        • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001869
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3683473510.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000009.00000002.3683368691.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000009.00000002.3683473510.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_10000000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                      • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                      • API String ID: 4036392271-1520055953
                                      • Opcode ID: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                      • Instruction ID: e2b7c7e1c3038021adfe9ab266432482c710e64fc4cfb1bae4cfd9c1521b4980
                                      • Opcode Fuzzy Hash: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                      • Instruction Fuzzy Hash: 4B21D579E142486AFB14D7A0EC92FED7339EF80754F000556F604EB1D5EBB16E818758
                                      Function 10004B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000), ref: 10004B59
                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 10004B6C
                                      • FreeLibrary.KERNEL32(00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082), ref: 10004B8F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3683473510.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000009.00000002.3683368691.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000009.00000002.3683473510.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_10000000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: AddressFreeHandleLibraryModuleProc
                                      • String ID: CorExitProcess$mscoree.dll
                                      • API String ID: 4061214504-1276376045
                                      • Opcode ID: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                      • Instruction ID: e6e2f78cdd7cd30bdf2d4d174718ae12991e9b6ae5ca6a82eaba56a43cf4d13d
                                      • Opcode Fuzzy Hash: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                      • Instruction Fuzzy Hash: C8F03C71900218BBEB11AB94CC48BAEBFB9EF043D1F01416AE909A6164DF309941CAA5
                                      Function 10007153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetEnvironmentStringsW.KERNEL32 ref: 1000715C
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000717F
                                        • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 100071A5
                                      • _free.LIBCMT ref: 100071B8
                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 100071C7
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3683473510.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000009.00000002.3683368691.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000009.00000002.3683473510.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_10000000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                      • String ID:
                                      • API String ID: 336800556-0
                                      • Opcode ID: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                      • Instruction ID: fdf90bdbf822fabaf3dd9d310e80898d5fc59248e37e3ebe61ec6e18e74c85b1
                                      • Opcode Fuzzy Hash: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                      • Instruction Fuzzy Hash: 6601D872A01225BB73129BBE5C8CDBF2A6DFBC69E0311012AFD0CC7288DB658C0181B0
                                      Function 10005B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(00000000,?,00000000,1000636D,10005713,00000000,?,10002249,?,?,10001D66,00000000,?,?,00000000), ref: 10005B7F
                                      • _free.LIBCMT ref: 10005BB4
                                      • _free.LIBCMT ref: 10005BDB
                                      • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BE8
                                      • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BF1
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3683473510.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000009.00000002.3683368691.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000009.00000002.3683473510.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_10000000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ErrorLast$_free
                                      • String ID:
                                      • API String ID: 3170660625-0
                                      • Opcode ID: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                      • Instruction ID: a404960836b3e2f032ab47abdd1028028b52a365ddf0c47563f665e512f3cffd
                                      • Opcode Fuzzy Hash: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                      • Instruction Fuzzy Hash: 5501F47A108A52A7F202E7345C85E1F3AAEDBC55F37220025FD19A615EEF73FD024164
                                      Function 10001E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                      • lstrcatW.KERNEL32(?,?), ref: 10001EAC
                                      • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                      • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                      • lstrcatW.KERNEL32(?,100010DF), ref: 10001ED3
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3683473510.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000009.00000002.3683368691.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000009.00000002.3683473510.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_10000000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: lstrlen$lstrcat
                                      • String ID:
                                      • API String ID: 493641738-0
                                      • Opcode ID: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                      • Instruction ID: f5d9027fafc921fe84ae6627056796c55de3fa1ad923a59450c5185d8ca5453c
                                      • Opcode Fuzzy Hash: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                      • Instruction Fuzzy Hash: D8F082261002207AF621772AECC5FBF7B7CEFC6AA0F04001AFA0C83194DB54684292B5
                                      Function 100091B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 100091D0
                                        • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                        • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                      • _free.LIBCMT ref: 100091E2
                                      • _free.LIBCMT ref: 100091F4
                                      • _free.LIBCMT ref: 10009206
                                      • _free.LIBCMT ref: 10009218
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3683473510.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000009.00000002.3683368691.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000009.00000002.3683473510.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_10000000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                      • Instruction ID: a08e021c65853776c99c3fd86fadada58ae96d962e635c5153d22f52a77de1c5
                                      • Opcode Fuzzy Hash: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                      • Instruction Fuzzy Hash: 77F06DB161C650ABE664DB58EAC6C4B7BEDFB003E13608805FC4DD7549CB31FC809A64
                                      Function 10005351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 1000536F
                                        • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                        • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                      • _free.LIBCMT ref: 10005381
                                      • _free.LIBCMT ref: 10005394
                                      • _free.LIBCMT ref: 100053A5
                                      • _free.LIBCMT ref: 100053B6
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3683473510.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000009.00000002.3683368691.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000009.00000002.3683473510.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_10000000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                      • Instruction ID: ba906e9feca9bc6e71cd1aa5ebacb8f64a9f241ffe6b13fedf7f16c4e4854dfa
                                      • Opcode Fuzzy Hash: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                      • Instruction Fuzzy Hash: 38F0F478C18934EBF741DF28ADC140A3BB5F718A91342C15AFC1497279DB36D9429B84
                                      Function 10004BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\wcNDx6MT9O.exe,00000104), ref: 10004C1D
                                      • _free.LIBCMT ref: 10004CE8
                                      • _free.LIBCMT ref: 10004CF2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3683473510.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000009.00000002.3683368691.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000009.00000002.3683473510.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_10000000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _free$FileModuleName
                                      • String ID: C:\Users\user\Desktop\wcNDx6MT9O.exe
                                      • API String ID: 2506810119-4223444048
                                      • Opcode ID: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                      • Instruction ID: 12f2da1a58c9c923660241357757b5dddff340f6d61411cdc8d35d961f62cc7a
                                      • Opcode Fuzzy Hash: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                      • Instruction Fuzzy Hash: EB31A0B5A01258EFFB51CF99CC81D9EBBFCEB88390F12806AF80497215DA709E41CB54
                                      Function 100086E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,10006FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 10008731
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 100087BA
                                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 100087CC
                                      • __freea.LIBCMT ref: 100087D5
                                        • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3683473510.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000009.00000002.3683368691.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000009.00000002.3683473510.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_10000000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                      • String ID:
                                      • API String ID: 2652629310-0
                                      • Opcode ID: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                      • Instruction ID: 5b9b35b0a4db414dac5c81271493033b4f2f0f3dd9b893eeefd60fa04c8ec889
                                      • Opcode Fuzzy Hash: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                      • Instruction Fuzzy Hash: 2731AE32A0021AABEF15CF64CC85EAF7BA5EF44290F214129FC48D7158EB35DE50CBA0
                                      Function 10005CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,10001D66,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue), ref: 10005D13
                                      • GetLastError.KERNEL32(?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000,00000364,?,10005BC8), ref: 10005D1F
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000), ref: 10005D2D
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3683473510.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000009.00000002.3683368691.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000009.00000002.3683473510.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_10000000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: LibraryLoad$ErrorLast
                                      • String ID:
                                      • API String ID: 3177248105-0
                                      • Opcode ID: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                      • Instruction ID: ab8c2af688280ff547417c348c7c3430721907d0b6a0cc88e9d35c15e8af339b
                                      • Opcode Fuzzy Hash: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                      • Instruction Fuzzy Hash: 59018436615732ABE7319B689C8CB4B7798EF056E2B214623F909D7158D731D801CAE0
                                      Function 100063F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 1000655C
                                        • Part of subcall function 100062BC: IsProcessorFeaturePresent.KERNEL32(00000017,100062AB,00000000,?,?,?,?,00000016,?,?,100062B8,00000000,00000000,00000000,00000000,00000000), ref: 100062BE
                                        • Part of subcall function 100062BC: GetCurrentProcess.KERNEL32(C0000417), ref: 100062E0
                                        • Part of subcall function 100062BC: TerminateProcess.KERNEL32(00000000), ref: 100062E7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3683473510.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000009.00000002.3683368691.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000009.00000002.3683473510.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_10000000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                      • String ID: *?$.
                                      • API String ID: 2667617558-3972193922
                                      • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                      • Instruction ID: 55016225c6cf3c2ad74d5bf99958d96f24b8fe448c0df4d83e2be8db5664878a
                                      • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                      • Instruction Fuzzy Hash: 2D519475E0060A9FEB14CFA8CC81AADB7F6FF4C394F258169E854E7349D635AE018B50
                                      Function 100016AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3683473510.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000009.00000002.3683368691.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000009.00000002.3683473510.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_10000000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _strlen
                                      • String ID: : $Se.
                                      • API String ID: 4218353326-4089948878
                                      • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                      • Instruction ID: 66f447a9efa091531784e06c0e565222335d100d85517175c1dac28435e0d9bb
                                      • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                      • Instruction Fuzzy Hash: 2F11E7B5904249AEDB11DFA8D841BDEFBFCEF09244F104056E545E7252E6706B02C765
                                      Function 10001EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                      Download Yara Rule
                                      APIs
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 10002903
                                        • Part of subcall function 100035D2: RaiseException.KERNEL32(?,?,?,10002925,00000000,00000000,00000000,?,?,?,?,?,10002925,?,100121B8), ref: 10003632
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 10002920
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3683473510.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000009.00000002.3683368691.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                      • Associated: 00000009.00000002.3683473510.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_10000000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Exception@8Throw$ExceptionRaise
                                      • String ID: Unknown exception
                                      • API String ID: 3476068407-410509341
                                      • Opcode ID: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                      • Instruction ID: 696891806b75a506f07e96a947ab79166ff1ea0d2f17bc9dac180a151cc952bd
                                      • Opcode Fuzzy Hash: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                      • Instruction Fuzzy Hash: 2BF0A47890420D77AB04E6E5EC4599D77ACDB006D0F508161FD1496499EF31FA658690

                                      Execution Graph

                                      Execution Coverage:13.4%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:201
                                      Total number of Limit Nodes:7
                                      execution_graph 27985 158091a 27989 15826eb 27985->27989 27993 15826f0 27985->27993 27986 158092b 27990 15826f0 VirtualProtect 27989->27990 27992 1582772 27990->27992 27992->27986 27994 1582738 VirtualProtect 27993->27994 27995 1582772 27994->27995 27995->27986 27996 12b4668 27997 12b467a 27996->27997 27998 12b4686 27997->27998 28000 12b4778 27997->28000 28001 12b479d 28000->28001 28005 12b4879 28001->28005 28009 12b4888 28001->28009 28007 12b48af 28005->28007 28006 12b498c 28006->28006 28007->28006 28013 12b44b4 28007->28013 28011 12b48af 28009->28011 28010 12b498c 28010->28010 28011->28010 28012 12b44b4 CreateActCtxA 28011->28012 28012->28010 28014 12b5918 CreateActCtxA 28013->28014 28016 12b59db 28014->28016 28016->28016 28017 7343dff 28018 7343c68 28017->28018 28019 7343d93 28018->28019 28023 7345b4e 28018->28023 28039 7345a99 28018->28039 28054 7345aa8 28018->28054 28024 7345adc 28023->28024 28025 7345b51 28023->28025 28034 7345ae6 28024->28034 28069 7345fe5 28024->28069 28073 73468dd 28024->28073 28078 7346691 28024->28078 28083 7346351 28024->28083 28087 7346890 28024->28087 28091 73464d4 28024->28091 28097 73460b4 28024->28097 28102 73464ef 28024->28102 28106 7345ecf 28024->28106 28110 734604d 28024->28110 28119 7345fa3 28024->28119 28125 7346466 28024->28125 28034->28018 28040 7345aa8 28039->28040 28041 7345ae6 28040->28041 28042 73460b4 2 API calls 28040->28042 28043 73464d4 2 API calls 28040->28043 28044 7346890 2 API calls 28040->28044 28045 7346351 2 API calls 28040->28045 28046 7346691 2 API calls 28040->28046 28047 73468dd 2 API calls 28040->28047 28048 7345fe5 2 API calls 28040->28048 28049 7346466 2 API calls 28040->28049 28050 7345fa3 2 API calls 28040->28050 28051 734604d 4 API calls 28040->28051 28052 7345ecf 2 API calls 28040->28052 28053 73464ef 2 API calls 28040->28053 28041->28018 28042->28041 28043->28041 28044->28041 28045->28041 28046->28041 28047->28041 28048->28041 28049->28041 28050->28041 28051->28041 28052->28041 28053->28041 28055 7345ac2 28054->28055 28056 73460b4 2 API calls 28055->28056 28057 73464d4 2 API calls 28055->28057 28058 7346890 2 API calls 28055->28058 28059 7346351 2 API calls 28055->28059 28060 7346691 2 API calls 28055->28060 28061 73468dd 2 API calls 28055->28061 28062 7345fe5 2 API calls 28055->28062 28063 7346466 2 API calls 28055->28063 28064 7345ae6 28055->28064 28065 7345fa3 2 API calls 28055->28065 28066 734604d 4 API calls 28055->28066 28067 7345ecf 2 API calls 28055->28067 28068 73464ef 2 API calls 28055->28068 28056->28064 28057->28064 28058->28064 28059->28064 28060->28064 28061->28064 28062->28064 28063->28064 28064->28018 28065->28064 28066->28064 28067->28064 28068->28064 28129 73432b0 28069->28129 28133 73432a8 28069->28133 28070 7345f31 28070->28034 28074 73468e3 28073->28074 28137 7342f70 28074->28137 28141 7342f78 28074->28141 28075 7346909 28075->28034 28079 7346697 28078->28079 28145 73431c0 28079->28145 28149 73431b9 28079->28149 28080 73460b0 28080->28034 28084 734636c 28083->28084 28153 7343100 28084->28153 28157 73430f9 28084->28157 28089 73431c0 WriteProcessMemory 28087->28089 28090 73431b9 WriteProcessMemory 28087->28090 28088 73468be 28089->28088 28090->28088 28092 73464da 28091->28092 28093 7346816 28092->28093 28095 73431c0 WriteProcessMemory 28092->28095 28096 73431b9 WriteProcessMemory 28092->28096 28094 73460b0 28094->28034 28095->28094 28096->28094 28098 73460ce 28097->28098 28100 7342f70 ResumeThread 28098->28100 28101 7342f78 ResumeThread 28098->28101 28099 7346909 28099->28034 28100->28099 28101->28099 28161 7343020 28102->28161 28165 7343028 28102->28165 28103 7346509 28169 734383c 28106->28169 28173 7343848 28106->28173 28111 734605a 28110->28111 28112 7345fbb 28111->28112 28115 73431c0 WriteProcessMemory 28111->28115 28116 73431b9 WriteProcessMemory 28111->28116 28114 7345f31 28112->28114 28117 7342f70 ResumeThread 28112->28117 28118 7342f78 ResumeThread 28112->28118 28113 7346909 28113->28034 28114->28034 28115->28112 28116->28112 28117->28113 28118->28113 28120 7345fbb 28119->28120 28122 7345f31 28120->28122 28123 7342f70 ResumeThread 28120->28123 28124 7342f78 ResumeThread 28120->28124 28121 7346909 28121->28034 28122->28034 28123->28121 28124->28121 28127 7343020 Wow64SetThreadContext 28125->28127 28128 7343028 Wow64SetThreadContext 28125->28128 28126 7346480 28127->28126 28128->28126 28130 73432fb ReadProcessMemory 28129->28130 28132 734333f 28130->28132 28132->28070 28134 73432b0 ReadProcessMemory 28133->28134 28136 734333f 28134->28136 28136->28070 28138 7342f78 ResumeThread 28137->28138 28140 7342fe9 28138->28140 28140->28075 28142 7342fb8 ResumeThread 28141->28142 28144 7342fe9 28142->28144 28144->28075 28146 7343208 WriteProcessMemory 28145->28146 28148 734325f 28146->28148 28148->28080 28150 7343208 WriteProcessMemory 28149->28150 28152 734325f 28150->28152 28152->28080 28154 7343140 VirtualAllocEx 28153->28154 28156 734317d 28154->28156 28156->28084 28158 7343140 VirtualAllocEx 28157->28158 28160 734317d 28158->28160 28160->28084 28162 7343028 Wow64SetThreadContext 28161->28162 28164 73430b5 28162->28164 28164->28103 28166 734306d Wow64SetThreadContext 28165->28166 28168 73430b5 28166->28168 28168->28103 28170 73438d1 CreateProcessA 28169->28170 28172 7343a93 28170->28172 28172->28172 28174 73438d1 CreateProcessA 28173->28174 28176 7343a93 28174->28176 28176->28176 28242 12bd040 28243 12bd086 28242->28243 28247 12bd628 28243->28247 28250 12bd618 28243->28250 28244 12bd173 28253 12bd27c 28247->28253 28251 12bd27c DuplicateHandle 28250->28251 28252 12bd656 28250->28252 28251->28252 28252->28244 28254 12bd690 DuplicateHandle 28253->28254 28255 12bd656 28254->28255 28255->28244 28177 734403a 28178 7343c68 28177->28178 28178->28177 28179 7343d93 28178->28179 28180 7345b4e 12 API calls 28178->28180 28181 7345aa8 12 API calls 28178->28181 28182 7345a99 12 API calls 28178->28182 28180->28178 28181->28178 28182->28178 28183 1581488 28184 158148c 28183->28184 28185 1581453 28183->28185 28186 158145e 28185->28186 28187 15826eb VirtualProtect 28185->28187 28188 15826f0 VirtualProtect 28185->28188 28187->28186 28188->28186 28195 12bacb0 28196 12bacbf 28195->28196 28199 12bada8 28195->28199 28207 12bad97 28195->28207 28200 12badb9 28199->28200 28202 12baddc 28199->28202 28200->28202 28215 12bb031 28200->28215 28219 12bb040 28200->28219 28201 12badd4 28201->28202 28203 12bafe0 GetModuleHandleW 28201->28203 28202->28196 28204 12bb00d 28203->28204 28204->28196 28208 12badb9 28207->28208 28209 12baddc 28207->28209 28208->28209 28213 12bb031 LoadLibraryExW 28208->28213 28214 12bb040 LoadLibraryExW 28208->28214 28209->28196 28210 12badd4 28210->28209 28211 12bafe0 GetModuleHandleW 28210->28211 28212 12bb00d 28211->28212 28212->28196 28213->28210 28214->28210 28216 12bb054 28215->28216 28217 12bb079 28216->28217 28223 12ba130 28216->28223 28217->28201 28220 12bb054 28219->28220 28221 12bb079 28220->28221 28222 12ba130 LoadLibraryExW 28220->28222 28221->28201 28222->28221 28224 12bb220 LoadLibraryExW 28223->28224 28226 12bb299 28224->28226 28226->28217 28231 7346ca8 28232 7346e33 28231->28232 28234 7346cce 28231->28234 28234->28232 28235 7343570 28234->28235 28236 7346f28 PostMessageW 28235->28236 28237 7346f94 28236->28237 28237->28234 28238 1581a05 28240 15826eb VirtualProtect 28238->28240 28241 15826f0 VirtualProtect 28238->28241 28239 1581a19 28240->28239 28241->28239

                                      Executed Functions

                                      Function 0734383C Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 681 734383c-73438dd 683 7343916-7343936 681->683 684 73438df-73438e9 681->684 691 734396f-734399e 683->691 692 7343938-7343942 683->692 684->683 685 73438eb-73438ed 684->685 686 7343910-7343913 685->686 687 73438ef-73438f9 685->687 686->683 689 73438fd-734390c 687->689 690 73438fb 687->690 689->689 693 734390e 689->693 690->689 698 73439d7-7343a91 CreateProcessA 691->698 699 73439a0-73439aa 691->699 692->691 694 7343944-7343946 692->694 693->686 696 7343948-7343952 694->696 697 7343969-734396c 694->697 700 7343954 696->700 701 7343956-7343965 696->701 697->691 712 7343a93-7343a99 698->712 713 7343a9a-7343b20 698->713 699->698 703 73439ac-73439ae 699->703 700->701 701->701 702 7343967 701->702 702->697 704 73439b0-73439ba 703->704 705 73439d1-73439d4 703->705 707 73439bc 704->707 708 73439be-73439cd 704->708 705->698 707->708 708->708 710 73439cf 708->710 710->705 712->713 723 7343b30-7343b34 713->723 724 7343b22-7343b26 713->724 726 7343b44-7343b48 723->726 727 7343b36-7343b3a 723->727 724->723 725 7343b28 724->725 725->723 729 7343b58-7343b5c 726->729 730 7343b4a-7343b4e 726->730 727->726 728 7343b3c 727->728 728->726 732 7343b6e-7343b75 729->732 733 7343b5e-7343b64 729->733 730->729 731 7343b50 730->731 731->729 734 7343b77-7343b86 732->734 735 7343b8c 732->735 733->732 734->735 737 7343b8d 735->737 737->737
                                      APIs
                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07343A7E
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1329856135.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7340000_udDHoOiYEFTRf.jbxd
                                      Similarity
                                      • API ID: CreateProcess
                                      • String ID:
                                      • API String ID: 963392458-0
                                      • Opcode ID: 21046f230118b5704fa904dbd14f73dedc12a1748ddce779c94aa4d65f3bba6e
                                      • Instruction ID: cc067df3e1a64a2815445924034e41f07daa4b0ee6bc5bfd04f4779cf14eef02
                                      • Opcode Fuzzy Hash: 21046f230118b5704fa904dbd14f73dedc12a1748ddce779c94aa4d65f3bba6e
                                      • Instruction Fuzzy Hash: 3BA13AB1D0025A8FEB28CF68C8417EDBBF2AF44314F14816AE849B7240D775A985CF91
                                      Function 07343848 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 738 7343848-73438dd 740 7343916-7343936 738->740 741 73438df-73438e9 738->741 748 734396f-734399e 740->748 749 7343938-7343942 740->749 741->740 742 73438eb-73438ed 741->742 743 7343910-7343913 742->743 744 73438ef-73438f9 742->744 743->740 746 73438fd-734390c 744->746 747 73438fb 744->747 746->746 750 734390e 746->750 747->746 755 73439d7-7343a91 CreateProcessA 748->755 756 73439a0-73439aa 748->756 749->748 751 7343944-7343946 749->751 750->743 753 7343948-7343952 751->753 754 7343969-734396c 751->754 757 7343954 753->757 758 7343956-7343965 753->758 754->748 769 7343a93-7343a99 755->769 770 7343a9a-7343b20 755->770 756->755 760 73439ac-73439ae 756->760 757->758 758->758 759 7343967 758->759 759->754 761 73439b0-73439ba 760->761 762 73439d1-73439d4 760->762 764 73439bc 761->764 765 73439be-73439cd 761->765 762->755 764->765 765->765 767 73439cf 765->767 767->762 769->770 780 7343b30-7343b34 770->780 781 7343b22-7343b26 770->781 783 7343b44-7343b48 780->783 784 7343b36-7343b3a 780->784 781->780 782 7343b28 781->782 782->780 786 7343b58-7343b5c 783->786 787 7343b4a-7343b4e 783->787 784->783 785 7343b3c 784->785 785->783 789 7343b6e-7343b75 786->789 790 7343b5e-7343b64 786->790 787->786 788 7343b50 787->788 788->786 791 7343b77-7343b86 789->791 792 7343b8c 789->792 790->789 791->792 794 7343b8d 792->794 794->794
                                      APIs
                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07343A7E
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1329856135.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7340000_udDHoOiYEFTRf.jbxd
                                      Similarity
                                      • API ID: CreateProcess
                                      • String ID:
                                      • API String ID: 963392458-0
                                      • Opcode ID: 885e2ffd26b7de11e43cd3d287579d3880fd563d747aa27b9a6336e44185564f
                                      • Instruction ID: fac1c417309a8f0141e4295ab64c87a2841f6d68028c0d44372b8ffb92f95bea
                                      • Opcode Fuzzy Hash: 885e2ffd26b7de11e43cd3d287579d3880fd563d747aa27b9a6336e44185564f
                                      • Instruction Fuzzy Hash: B5913AB1D0021A9FEB24CF68CC41BEDBBF2AF48314F148169E859B7240DB75A985CF91
                                      Function 012BADA8 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 795 12bada8-12badb7 796 12badb9-12badc6 call 12ba0cc 795->796 797 12bade3-12bade7 795->797 803 12badc8 796->803 804 12baddc 796->804 799 12badfb-12bae3c 797->799 800 12bade9-12badf3 797->800 806 12bae49-12bae57 799->806 807 12bae3e-12bae46 799->807 800->799 850 12badce call 12bb031 803->850 851 12badce call 12bb040 803->851 804->797 808 12bae7b-12bae7d 806->808 809 12bae59-12bae5e 806->809 807->806 814 12bae80-12bae87 808->814 811 12bae69 809->811 812 12bae60-12bae67 call 12ba0d8 809->812 810 12badd4-12badd6 810->804 813 12baf18-12bafd8 810->813 816 12bae6b-12bae79 811->816 812->816 845 12bafda-12bafdd 813->845 846 12bafe0-12bb00b GetModuleHandleW 813->846 817 12bae89-12bae91 814->817 818 12bae94-12bae9b 814->818 816->814 817->818 819 12baea8-12baeaa call 12ba0e8 818->819 820 12bae9d-12baea5 818->820 824 12baeaf-12baeb1 819->824 820->819 826 12baebe-12baec3 824->826 827 12baeb3-12baebb 824->827 828 12baee1-12baeee 826->828 829 12baec5-12baecc 826->829 827->826 836 12baf11-12baf17 828->836 837 12baef0-12baf0e 828->837 829->828 831 12baece-12baede call 12ba0f8 call 12ba108 829->831 831->828 837->836 845->846 847 12bb00d-12bb013 846->847 848 12bb014-12bb028 846->848 847->848 850->810 851->810
                                      APIs
                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 012BAFFE
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1319053250.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_12b0000_udDHoOiYEFTRf.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: c06068e119cd1288f6bd565c6b581d084a913b8f55d6a4c0b0bcb9569bb6561e
                                      • Instruction ID: 3e8aa7949c7fb1655766a595d7d37d8d29365e7b8cba5fbafc88249164084ea3
                                      • Opcode Fuzzy Hash: c06068e119cd1288f6bd565c6b581d084a913b8f55d6a4c0b0bcb9569bb6561e
                                      • Instruction Fuzzy Hash: CC715870A10B068FE725DF69D4847AABBF1FF88344F00892ED58AD7A40D775E849CB91
                                      Function 012B44B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 852 12b44b4-12b59d9 CreateActCtxA 855 12b59db-12b59e1 852->855 856 12b59e2-12b5a3c 852->856 855->856 863 12b5a4b-12b5a4f 856->863 864 12b5a3e-12b5a41 856->864 865 12b5a51-12b5a5d 863->865 866 12b5a60 863->866 864->863 865->866 868 12b5a61 866->868 868->868
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 012B59C9
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1319053250.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_12b0000_udDHoOiYEFTRf.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: 559f7d8810006cb0a5b606bd9ceee84327ce6abffa33c450378841395217d9a5
                                      • Instruction ID: c23537c85d94561d99eb0037d46333870cbce3b838f61bc76586b58cd1b6c89a
                                      • Opcode Fuzzy Hash: 559f7d8810006cb0a5b606bd9ceee84327ce6abffa33c450378841395217d9a5
                                      • Instruction Fuzzy Hash: ED419DB1C1071DCBDB24DFA9C884BDDBBB5BF49304F20806AD509AB251DB766946CF90
                                      Function 012B590C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 869 12b590c-12b59d9 CreateActCtxA 871 12b59db-12b59e1 869->871 872 12b59e2-12b5a3c 869->872 871->872 879 12b5a4b-12b5a4f 872->879 880 12b5a3e-12b5a41 872->880 881 12b5a51-12b5a5d 879->881 882 12b5a60 879->882 880->879 881->882 884 12b5a61 882->884 884->884
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 012B59C9
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1319053250.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_12b0000_udDHoOiYEFTRf.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: a55030bdc1763b2ef7c886847a0248ef7f10a7f45b7056cb08aac0e02172b2ee
                                      • Instruction ID: 6e4e43e307e43626a1f4c405a24de6b65148eb625171213caad118b61867f9da
                                      • Opcode Fuzzy Hash: a55030bdc1763b2ef7c886847a0248ef7f10a7f45b7056cb08aac0e02172b2ee
                                      • Instruction Fuzzy Hash: C041BDB1C10719CBDB24DFA9C884BDDBBF5BF49304F20805AD508AB251DB766946CF90
                                      Function 073431B9 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 885 73431b9-734320e 887 7343210-734321c 885->887 888 734321e-734325d WriteProcessMemory 885->888 887->888 890 7343266-7343296 888->890 891 734325f-7343265 888->891 891->890
                                      APIs
                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07343250
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1329856135.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7340000_udDHoOiYEFTRf.jbxd
                                      Similarity
                                      • API ID: MemoryProcessWrite
                                      • String ID:
                                      • API String ID: 3559483778-0
                                      • Opcode ID: 59fa5c99d56ac52a349a1ec674d682a4f4d1853b75f60819f361e13c977686b2
                                      • Instruction ID: f955d5511ccf865169568924b0b8cf79706c3bb317778ef49adc5009cd1574b2
                                      • Opcode Fuzzy Hash: 59fa5c99d56ac52a349a1ec674d682a4f4d1853b75f60819f361e13c977686b2
                                      • Instruction Fuzzy Hash: 9F2108B59003599FDB14CFA9C881BEEBBF1FF48310F10842AE959A7240C7799945CB64
                                      Function 073431C0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 895 73431c0-734320e 897 7343210-734321c 895->897 898 734321e-734325d WriteProcessMemory 895->898 897->898 900 7343266-7343296 898->900 901 734325f-7343265 898->901 901->900
                                      APIs
                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07343250
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1329856135.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7340000_udDHoOiYEFTRf.jbxd
                                      Similarity
                                      • API ID: MemoryProcessWrite
                                      • String ID:
                                      • API String ID: 3559483778-0
                                      • Opcode ID: 1d8635aaf9e878051f1b67d09b84193701d503860302c6f8d09c8a20a307dea2
                                      • Instruction ID: 4cc60d7a1e8485111224d61ac2396584733bf9116708e9eaf03ae1e0b484f408
                                      • Opcode Fuzzy Hash: 1d8635aaf9e878051f1b67d09b84193701d503860302c6f8d09c8a20a307dea2
                                      • Instruction Fuzzy Hash: 802124B59003499FDB14CFAAC880BDEBBF5FF48310F10842AE919A7240C779A940CBA4
                                      Function 073432A8 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 916 73432a8-734333d ReadProcessMemory 920 7343346-7343376 916->920 921 734333f-7343345 916->921 921->920
                                      APIs
                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07343330
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1329856135.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7340000_udDHoOiYEFTRf.jbxd
                                      Similarity
                                      • API ID: MemoryProcessRead
                                      • String ID:
                                      • API String ID: 1726664587-0
                                      • Opcode ID: cc6579f70b08853b956ada892c3e8ad84b59123a319c41ea9a4ea12c8e24b3d3
                                      • Instruction ID: f1331cddcf7b85329da8b3b590e305fdebc59d8eaebf2798cbca8f547a229f7d
                                      • Opcode Fuzzy Hash: cc6579f70b08853b956ada892c3e8ad84b59123a319c41ea9a4ea12c8e24b3d3
                                      • Instruction Fuzzy Hash: DA2127B18003499FDB14CFAAC880BDEFBF5FF48310F14842AE559A7240CB39A541CBA5
                                      Function 07343020 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 905 7343020-7343073 908 7343075-7343081 905->908 909 7343083-73430b3 Wow64SetThreadContext 905->909 908->909 911 73430b5-73430bb 909->911 912 73430bc-73430ec 909->912 911->912
                                      APIs
                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 073430A6
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1329856135.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7340000_udDHoOiYEFTRf.jbxd
                                      Similarity
                                      • API ID: ContextThreadWow64
                                      • String ID:
                                      • API String ID: 983334009-0
                                      • Opcode ID: 64316f0be1ccea8437a3f4bfca441b326bf67ac66a99871dda7a09aca7c00e86
                                      • Instruction ID: a977e60f5970aaa0c272abcbcc1454f94b24067999b5a01bc29d343f40829ec9
                                      • Opcode Fuzzy Hash: 64316f0be1ccea8437a3f4bfca441b326bf67ac66a99871dda7a09aca7c00e86
                                      • Instruction Fuzzy Hash: 812178B5D003099FEB14DFAAC485BEEBBF4EF48210F14842ED419A7240CB78A945CFA5
                                      Function 012BD27C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                      Download Yara Rule
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,012BD656,?,?,?,?,?), ref: 012BD717
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1319053250.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_12b0000_udDHoOiYEFTRf.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: 3aa3ad78000e9fb231fca1895c2293e31ba4e79d91fbc3cf6cb9b8a4c1b44844
                                      • Instruction ID: 742c5ea0d33138724a830fe8c30f90707f3b4ede60d538fee91d20a3f2264854
                                      • Opcode Fuzzy Hash: 3aa3ad78000e9fb231fca1895c2293e31ba4e79d91fbc3cf6cb9b8a4c1b44844
                                      • Instruction Fuzzy Hash: 2A21E3B5D1024C9FDB10CFAAD884BEEBBF4EB48314F14841AE918A7350D379A954CFA5
                                      Function 073432B0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                      Download Yara Rule
                                      APIs
                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07343330
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1329856135.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7340000_udDHoOiYEFTRf.jbxd
                                      Similarity
                                      • API ID: MemoryProcessRead
                                      • String ID:
                                      • API String ID: 1726664587-0
                                      • Opcode ID: a197ea27fab24e48043f739b005f6f17a7383cd6ac6008caf5628d4153a7eccb
                                      • Instruction ID: 3586052b3647a13b4f1ea368039f8ff609bc826f289efd106ed4a2ac6493eada
                                      • Opcode Fuzzy Hash: a197ea27fab24e48043f739b005f6f17a7383cd6ac6008caf5628d4153a7eccb
                                      • Instruction Fuzzy Hash: 2C2119B1C003499FDB14CFAAC880BDEBBF5FF48310F50842AE519A7240C7799540CB65
                                      Function 07343028 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 073430A6
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1329856135.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7340000_udDHoOiYEFTRf.jbxd
                                      Similarity
                                      • API ID: ContextThreadWow64
                                      • String ID:
                                      • API String ID: 983334009-0
                                      • Opcode ID: 0170fda6973dc4572f50a2e5c494ccda558d2345f45afa30d6c01e7187bb3682
                                      • Instruction ID: 06988e2a9e16b69b009cbdff1be34ecba9a31f43f34f3fbfb33f6eefdcdd78df
                                      • Opcode Fuzzy Hash: 0170fda6973dc4572f50a2e5c494ccda558d2345f45afa30d6c01e7187bb3682
                                      • Instruction Fuzzy Hash: 9B2138B5D003099FDB24DFAAC484BEEBBF4EF48214F14842ED559A7240CB79A944CFA5
                                      Function 012BD689 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                      Download Yara Rule
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,012BD656,?,?,?,?,?), ref: 012BD717
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1319053250.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_12b0000_udDHoOiYEFTRf.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: 48986cc7a83396c390aa12ffaae4d6d4d3f29ae37556eefbe1ed80ca55c3f0c0
                                      • Instruction ID: eeae24adde55bf67b96f3779e4edd753a918535d0f315ed790778e648e2f9db4
                                      • Opcode Fuzzy Hash: 48986cc7a83396c390aa12ffaae4d6d4d3f29ae37556eefbe1ed80ca55c3f0c0
                                      • Instruction Fuzzy Hash: 5B21E0B5D002499FDB10CFAAD584BEEBBF5EB48314F24841AE918A7750C378A945CF61
                                      Function 015826EB Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualProtect.KERNELBASE(?,?,?,?), ref: 01582763
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1319956469.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_1580000_udDHoOiYEFTRf.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID:
                                      • API String ID: 544645111-0
                                      • Opcode ID: 50325fb743ed4cf4822457bc1396e1d6bc244207d83e4dd936998d91c739d418
                                      • Instruction ID: 0e0f1cdcb53dd9df590102656fd24f2f9b6efb590e3962639ad6ff7149c705f4
                                      • Opcode Fuzzy Hash: 50325fb743ed4cf4822457bc1396e1d6bc244207d83e4dd936998d91c739d418
                                      • Instruction Fuzzy Hash: A021E4B59002499FDB10DF9AC984BDEFBF4FB48320F10842AE958A7750D379A944CFA5
                                      Function 015826F0 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualProtect.KERNELBASE(?,?,?,?), ref: 01582763
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1319956469.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_1580000_udDHoOiYEFTRf.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID:
                                      • API String ID: 544645111-0
                                      • Opcode ID: 9654a1ab0d2299116bcedf673129860d8369b9c5cf7c2566ffc1128a22b89d69
                                      • Instruction ID: 8423d36b0edb592cfa68142eae0341689a161fe5e567977c5af8e47dcb62b011
                                      • Opcode Fuzzy Hash: 9654a1ab0d2299116bcedf673129860d8369b9c5cf7c2566ffc1128a22b89d69
                                      • Instruction Fuzzy Hash: B721E4B59002499FDB10DF9AC584BDEFBF4FB48320F10842AE958A7650D379A944CFA5
                                      Function 012BA130 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,012BB079,00000800,00000000,00000000), ref: 012BB28A
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1319053250.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_12b0000_udDHoOiYEFTRf.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: 76fd440b6b8de4838657a5ebda0e0e2ab6aecc3c10d9543e3bf8b24875e96364
                                      • Instruction ID: 8774efee4b79d4c7347c2498d9f7f617ba254a1be977581f89ea7607eb5bb504
                                      • Opcode Fuzzy Hash: 76fd440b6b8de4838657a5ebda0e0e2ab6aecc3c10d9543e3bf8b24875e96364
                                      • Instruction Fuzzy Hash: DD1117B6C103499FDB14CF9AC484BDEFBF4EB48310F10841AE519A7600C379A545CFA5
                                      Function 073430F9 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0734316E
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1329856135.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7340000_udDHoOiYEFTRf.jbxd
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: 110a23c15f472ae0fa2f6802c06d9b5fe6bac717360a4805ee3dd06bb4a2e572
                                      • Instruction ID: 6343b6883620f89a9ead3e703147b9bd8864dd85fd6f89c904884d18523d57c8
                                      • Opcode Fuzzy Hash: 110a23c15f472ae0fa2f6802c06d9b5fe6bac717360a4805ee3dd06bb4a2e572
                                      • Instruction Fuzzy Hash: E71159759003499FDB24DFAAC844BEEBBF5EF48320F24841EE519A7250CB799940CFA4
                                      Function 012BB219 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,012BB079,00000800,00000000,00000000), ref: 012BB28A
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1319053250.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_12b0000_udDHoOiYEFTRf.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: 755488c3c76a2620a0867dd7059c479d9c84e03b9883e148e09452d38bdbb5ce
                                      • Instruction ID: 677c0baeb745e78ee97491fb6b6c319f50564c5a19e48abf5d35c28e2f46ca80
                                      • Opcode Fuzzy Hash: 755488c3c76a2620a0867dd7059c479d9c84e03b9883e148e09452d38bdbb5ce
                                      • Instruction Fuzzy Hash: 9B1112B6C002498FDB24CFAAC484BDEFBF4EB88310F10842AD919A7610C379A545CFA5
                                      Function 07343100 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0734316E
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1329856135.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7340000_udDHoOiYEFTRf.jbxd
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: 9d9a1dc41016c0a0c8049ee9daefd2711ee1d56fdb1f422ec924804d9d9c6492
                                      • Instruction ID: 565f9f41dfd110c1cd65a2147ad0ff990192a6f8d38b24e3ea8bf4d527b6849f
                                      • Opcode Fuzzy Hash: 9d9a1dc41016c0a0c8049ee9daefd2711ee1d56fdb1f422ec924804d9d9c6492
                                      • Instruction Fuzzy Hash: FF1137758003499FDB24DFAAC844BDFBBF5EF48310F24881AE519A7250CB79A940CFA5
                                      Function 07342F70 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1329856135.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7340000_udDHoOiYEFTRf.jbxd
                                      Similarity
                                      • API ID: ResumeThread
                                      • String ID:
                                      • API String ID: 947044025-0
                                      • Opcode ID: 98051177530838fe4b5ee9e3db502f98c71d8fef1cfd56277db7afa6e43018ee
                                      • Instruction ID: dc813792e39b1f699dd18c4f9b5113124efa1a17940d3c3fdc9e9ab35c6d46e8
                                      • Opcode Fuzzy Hash: 98051177530838fe4b5ee9e3db502f98c71d8fef1cfd56277db7afa6e43018ee
                                      • Instruction Fuzzy Hash: 5F1137B59003498FDB24DFAAC444BAEFBF5EF48224F24841AD519A7240CA79A941CBA5
                                      Function 07342F78 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1329856135.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7340000_udDHoOiYEFTRf.jbxd
                                      Similarity
                                      • API ID: ResumeThread
                                      • String ID:
                                      • API String ID: 947044025-0
                                      • Opcode ID: 9c933939519e99a7c27236d185999d5ca7e9aea107b40ba14ecffef78c6b87e5
                                      • Instruction ID: a0ecdcf9002759533fdd1beab52416cd8bc7f03c236b2ad06dd1784f39a2a38a
                                      • Opcode Fuzzy Hash: 9c933939519e99a7c27236d185999d5ca7e9aea107b40ba14ecffef78c6b87e5
                                      • Instruction Fuzzy Hash: 2D1128B5D003498FDB24DFAAC444BDFFBF5EF48214F24841AD519A7240CB79A940CBA5
                                      Function 012BAF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 012BAFFE
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1319053250.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_12b0000_udDHoOiYEFTRf.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: e9b9684aa0ba7f6b4f8b9750d017e6ebc770fd920bff4d703ba9bb286e326753
                                      • Instruction ID: 1cb4a8c2349ffaadcec962ff78d66d05d56c77c5cb142d69234c738c4355d950
                                      • Opcode Fuzzy Hash: e9b9684aa0ba7f6b4f8b9750d017e6ebc770fd920bff4d703ba9bb286e326753
                                      • Instruction Fuzzy Hash: CA11E0B6C002498FDB24CF9AC484BDEFBF4EB88314F10841AD529A7610D379A545CFA5
                                      Function 07343570 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 07346F85
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1329856135.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7340000_udDHoOiYEFTRf.jbxd
                                      Similarity
                                      • API ID: MessagePost
                                      • String ID:
                                      • API String ID: 410705778-0
                                      • Opcode ID: 57c790abbff0594e2f243a3c1c8a7b47cf62c746b255e4addfc565dea7cf6fec
                                      • Instruction ID: 18c1caf1e5594c6ecd45f8f07701ab80dac99bc81357eb14d4aadc6dab3cee6d
                                      • Opcode Fuzzy Hash: 57c790abbff0594e2f243a3c1c8a7b47cf62c746b255e4addfc565dea7cf6fec
                                      • Instruction Fuzzy Hash: 821103B5804349DFDB20DF9AC485BDEBBF8EB49310F20845AE559A7700C379A944CFA5
                                      Function 07346F20 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 07346F85
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1329856135.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_7340000_udDHoOiYEFTRf.jbxd
                                      Similarity
                                      • API ID: MessagePost
                                      • String ID:
                                      • API String ID: 410705778-0
                                      • Opcode ID: e6b264310ff7c97468eb9446d7e38766d7b5ac301e1723fe457ccea9e859f551
                                      • Instruction ID: 5483a0614cffa2aa7a4eeeadebc618c9f27a2aa1f3dfc7073cc31c17b8c6ad05
                                      • Opcode Fuzzy Hash: e6b264310ff7c97468eb9446d7e38766d7b5ac301e1723fe457ccea9e859f551
                                      • Instruction Fuzzy Hash: CA1106B5800349DFDB10CF9AD485BDEBBF4EB48314F108419E558A7600C379A544CFA1
                                      Function 0125D1FC Relevance: .1, Instructions: 76COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1318763456.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_125d000_udDHoOiYEFTRf.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 50161e8755dc9685c18e445aa2f84b716a910ee8380f803e847b0682f766885f
                                      • Instruction ID: 5f3021f7bc1f8def22e6be251479cfaa9b5a66e042cf1d1887c8f5a344e52fee
                                      • Opcode Fuzzy Hash: 50161e8755dc9685c18e445aa2f84b716a910ee8380f803e847b0682f766885f
                                      • Instruction Fuzzy Hash: 12212172520308DFDB45DF94D8C0B26BB61FB88320F20C569ED098B247C376D416CBA2
                                      Function 0125D4C4 Relevance: .1, Instructions: 75COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1318763456.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_125d000_udDHoOiYEFTRf.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7db39ae6c0db46c7f6ded45902e999bd9797255e53c5faf07e71de752fc8b815
                                      • Instruction ID: 1d963dbce21c4bd6fc05b7beda21f4072a48fefc7cfd47f21dd084300f65f217
                                      • Opcode Fuzzy Hash: 7db39ae6c0db46c7f6ded45902e999bd9797255e53c5faf07e71de752fc8b815
                                      • Instruction Fuzzy Hash: 30210072520248DFDB55DF94E9C0F26BF65FB88328F20C569ED090B256C336D456CAA2
                                      Function 0126D1D4 Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1318827617.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_126d000_udDHoOiYEFTRf.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5e4c0eb44b68c095f42387239f91050a4669504eeb1f812d52d7058aea41f731
                                      • Instruction ID: eb3667d2379ae82f45f73d607b21fc507bc21bbd3a554afabe21648057e83975
                                      • Opcode Fuzzy Hash: 5e4c0eb44b68c095f42387239f91050a4669504eeb1f812d52d7058aea41f731
                                      • Instruction Fuzzy Hash: 3621457161030CDFDB15DF94C5C0B25BB69FB84324F20C56DD9894B293C376D486CA61
                                      Function 0126D01C Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1318827617.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_126d000_udDHoOiYEFTRf.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a52490201dbbeb394aff3343745ce8d51d4e9de2102d3940b34ed5e87a267641
                                      • Instruction ID: 03cdf5852854b183bfb86de2e722c006614b788e02d4c9a5f062c8d377c181ae
                                      • Opcode Fuzzy Hash: a52490201dbbeb394aff3343745ce8d51d4e9de2102d3940b34ed5e87a267641
                                      • Instruction Fuzzy Hash: D521257561430CDFDB15DF54D5C0B16BB69EB84314F20C56DD98A0B292C37BD487CAA1
                                      Function 0125D1F7 Relevance: .1, Instructions: 57COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1318763456.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_125d000_udDHoOiYEFTRf.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 34ed18dbe1fbc7fec028946c4a8f46b05e137d48d9d88c732245ebcda57f4e15
                                      • Instruction ID: ab56c2dc71caffa2384b6a58992816720c2afc6ff3b25b950162e9f4b7b180c2
                                      • Opcode Fuzzy Hash: 34ed18dbe1fbc7fec028946c4a8f46b05e137d48d9d88c732245ebcda57f4e15
                                      • Instruction Fuzzy Hash: 8521CD76404244CFDB06CF54D9C4B16BF62FB84324F24C5AADD084B657C33AD426CBA1
                                      Function 0125D4BF Relevance: .1, Instructions: 56COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1318763456.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_125d000_udDHoOiYEFTRf.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5f425b5cd1c464f0a4a5253a28fe3054bde847c9d27b32d63737858cb099eba0
                                      • Instruction ID: 4b0ec3f3e5a0989f2c0bb0f7e14f1ef25e5a99833c48df7b4efb177705e730ea
                                      • Opcode Fuzzy Hash: 5f425b5cd1c464f0a4a5253a28fe3054bde847c9d27b32d63737858cb099eba0
                                      • Instruction Fuzzy Hash: 3111AF76504284CFCB16CF54E5C4B16BF71FB84328F24C6A9DD490B656C336D45ACBA1
                                      Function 0126D017 Relevance: .1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1318827617.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_126d000_udDHoOiYEFTRf.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6f5963e13be94118601ce8c0c816b14e795ac28cdb338ecf6f134e886058e23b
                                      • Instruction ID: d761472a8d8a2e11556cac503fd5b0036ab49706dbe7392b8927207ec8cb62c2
                                      • Opcode Fuzzy Hash: 6f5963e13be94118601ce8c0c816b14e795ac28cdb338ecf6f134e886058e23b
                                      • Instruction Fuzzy Hash: 1A11BE75604288CFCB12CF54D5C4B15BF61FB84314F24C6AAD9494B696C33BD44ACBA1
                                      Function 0126D1CF Relevance: .1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.1318827617.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_10_2_126d000_udDHoOiYEFTRf.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6f5963e13be94118601ce8c0c816b14e795ac28cdb338ecf6f134e886058e23b
                                      • Instruction ID: 02f9737e100307b0f9d2e038b3f737067a1c7ba0714e7596ff9773e5c37a5745
                                      • Opcode Fuzzy Hash: 6f5963e13be94118601ce8c0c816b14e795ac28cdb338ecf6f134e886058e23b
                                      • Instruction Fuzzy Hash: C311BB75604288DFDB12CF54D5C0B15BFA1FB84324F28C6AAD9894B697C33AD48ACB61

                                      Execution Graph

                                      Execution Coverage:6.3%
                                      Dynamic/Decrypted Code Coverage:9.2%
                                      Signature Coverage:1.5%
                                      Total number of Nodes:2000
                                      Total number of Limit Nodes:88
                                      execution_graph 40354 441a5b 40355 441a66 40354->40355 40358 430937 40355->40358 40359 430956 40358->40359 40360 430977 40358->40360 40359->40360 40362 430969 40359->40362 40366 43097e 40359->40366 40436 42c02e memset 40360->40436 40435 4169a7 11 API calls 40362->40435 40363 430a79 40366->40360 40367 431a7b 40366->40367 40368 431aa3 40367->40368 40424 431b2e 40367->40424 40370 43817e 139 API calls 40368->40370 40368->40424 40373 431ab6 40370->40373 40371 432116 40455 4325ad memset 40371->40455 40378 431b15 40373->40378 40373->40424 40437 43041c 12 API calls 40373->40437 40374 432122 40374->40360 40376 431ad5 40377 431b04 40376->40377 40376->40424 40438 42faf4 12 API calls 40376->40438 40382 42ff8c 139 API calls 40377->40382 40379 431baa 40378->40379 40380 431b7c memcmp 40378->40380 40378->40424 40383 431bb0 40379->40383 40384 431bcb 40379->40384 40380->40379 40399 431b95 40380->40399 40382->40378 40440 4169a7 11 API calls 40383->40440 40387 431bd1 40384->40387 40388 431c45 40384->40388 40389 43034a memcpy 40387->40389 40391 4165ff 11 API calls 40388->40391 40390 431bdc 40389->40390 40390->40424 40441 430468 11 API calls 40390->40441 40393 431c65 40391->40393 40394 431cba 40393->40394 40393->40424 40442 42bf4c 14 API calls 40393->40442 40397 415a91 memset 40394->40397 40396 431bef 40396->40393 40396->40399 40396->40424 40400 431d17 40397->40400 40398 431ca1 40398->40424 40443 42bfcf memcpy 40398->40443 40399->40424 40439 4169a7 11 API calls 40399->40439 40401 431d27 memcpy 40400->40401 40400->40424 40409 431da8 40401->40409 40416 431e97 40401->40416 40403 431eb8 40445 4169a7 11 API calls 40403->40445 40404 431f3c 40406 431fc3 40404->40406 40407 431f45 40404->40407 40448 4397fd memset 40406->40448 40446 4172c8 memset 40407->40446 40409->40403 40411 431e12 memcpy 40409->40411 40409->40416 40409->40424 40444 430af5 16 API calls 40409->40444 40410 431fd4 40410->40424 40449 4328e4 12 API calls 40410->40449 40411->40409 40415 431feb 40450 4233ae 11 API calls 40415->40450 40416->40404 40419 431f6a 40416->40419 40418 431ffc 40420 43202e 40418->40420 40423 4165ff 11 API calls 40418->40423 40419->40424 40447 4169a7 11 API calls 40419->40447 40451 42fe8b 22 API calls 40420->40451 40423->40420 40454 42c02e memset 40424->40454 40425 432057 40425->40424 40452 431917 23 API calls 40425->40452 40427 432079 40453 430b5d 11 API calls 40427->40453 40435->40360 40436->40363 40437->40376 40438->40377 40439->40424 40440->40424 40441->40396 40442->40398 40443->40394 40444->40409 40445->40424 40446->40424 40447->40424 40448->40410 40449->40415 40450->40418 40451->40425 40452->40427 40454->40371 40455->40374 40322 441819 40325 430737 40322->40325 40324 441825 40326 430756 40325->40326 40338 43076d 40325->40338 40327 430774 40326->40327 40328 43075f 40326->40328 40339 43034a 40327->40339 40350 4169a7 11 API calls 40328->40350 40331 4307ce 40332 430819 memset 40331->40332 40343 415b2c 40331->40343 40332->40338 40333 43077e 40333->40331 40336 4307fa 40333->40336 40333->40338 40335 4307e9 40335->40332 40335->40338 40351 4169a7 11 API calls 40336->40351 40338->40324 40340 430359 40339->40340 40341 43034e 40339->40341 40340->40333 40352 415c23 memcpy 40341->40352 40344 415b42 40343->40344 40349 415b46 40343->40349 40345 415b94 40344->40345 40346 415b5a 40344->40346 40344->40349 40347 4438b5 10 API calls 40345->40347 40348 415b79 memcpy 40346->40348 40346->40349 40347->40349 40348->40349 40349->40335 40350->40338 40351->40338 40352->40340 37675 442ec6 19 API calls 37849 4152c6 malloc 37850 4152e2 37849->37850 37851 4152ef 37849->37851 37853 416760 11 API calls 37851->37853 37853->37850 37854 4466f4 37873 446904 37854->37873 37856 446700 GetModuleHandleA 37859 446710 __set_app_type __p__fmode __p__commode 37856->37859 37858 4467a4 37860 4467ac __setusermatherr 37858->37860 37861 4467b8 37858->37861 37859->37858 37860->37861 37874 4468f0 _controlfp 37861->37874 37863 4467bd _initterm __wgetmainargs _initterm 37865 44681e GetStartupInfoW 37863->37865 37866 446810 37863->37866 37867 446866 GetModuleHandleA 37865->37867 37875 41276d 37867->37875 37871 446896 exit 37872 44689d _cexit 37871->37872 37872->37866 37873->37856 37874->37863 37876 41277d 37875->37876 37918 4044a4 LoadLibraryW 37876->37918 37878 412785 37910 412789 37878->37910 37926 414b81 37878->37926 37881 4127c8 37932 412465 memset ??2@YAPAXI 37881->37932 37883 4127ea 37944 40ac21 37883->37944 37888 412813 37962 40dd07 memset 37888->37962 37889 412827 37967 40db69 memset 37889->37967 37892 412822 37988 4125b6 ??3@YAXPAX 37892->37988 37894 40ada2 _wcsicmp 37895 41283d 37894->37895 37895->37892 37898 412863 CoInitialize 37895->37898 37972 41268e 37895->37972 37992 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37898->37992 37902 41296f 37994 40b633 37902->37994 37905 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37909 412957 37905->37909 37915 4128ca 37905->37915 37909->37892 37910->37871 37910->37872 37911 4128d0 TranslateAcceleratorW 37912 412941 GetMessageW 37911->37912 37911->37915 37912->37909 37912->37911 37913 412909 IsDialogMessageW 37913->37912 37913->37915 37914 4128fd IsDialogMessageW 37914->37912 37914->37913 37915->37911 37915->37913 37915->37914 37916 41292b TranslateMessage DispatchMessageW 37915->37916 37917 41291f IsDialogMessageW 37915->37917 37916->37912 37917->37912 37917->37916 37919 4044cf GetProcAddress 37918->37919 37922 4044f7 37918->37922 37920 4044e8 FreeLibrary 37919->37920 37923 4044df 37919->37923 37921 4044f3 37920->37921 37920->37922 37921->37922 37924 404507 MessageBoxW 37922->37924 37925 40451e 37922->37925 37923->37920 37924->37878 37925->37878 37927 414b8a 37926->37927 37928 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37926->37928 37998 40a804 memset 37927->37998 37928->37881 37931 414b9e GetProcAddress 37931->37928 37933 4124e0 37932->37933 37934 412505 ??2@YAPAXI 37933->37934 37935 41251c 37934->37935 37937 412521 37934->37937 38020 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37935->38020 38009 444722 37937->38009 37943 41259b wcscpy 37943->37883 38025 40b1ab ??3@YAXPAX ??3@YAXPAX 37944->38025 37948 40ad4b 37957 40ad76 37948->37957 38049 40a9ce 37948->38049 37949 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 37955 40ac5c 37949->37955 37951 40ace7 ??3@YAXPAX 37951->37955 37955->37948 37955->37949 37955->37951 37955->37957 38029 40a8d0 37955->38029 38041 4099f4 37955->38041 37956 40a8d0 7 API calls 37956->37957 38026 40aa04 37957->38026 37958 40ada2 37959 40adc9 37958->37959 37960 40adaa 37958->37960 37959->37888 37959->37889 37960->37959 37961 40adb3 _wcsicmp 37960->37961 37961->37959 37961->37960 38054 40dce0 37962->38054 37964 40dd3a GetModuleHandleW 38059 40dba7 37964->38059 37968 40dce0 3 API calls 37967->37968 37969 40db99 37968->37969 38131 40dae1 37969->38131 38145 402f3a 37972->38145 37974 412766 37974->37892 37974->37898 37975 4126d3 _wcsicmp 37976 4126a8 37975->37976 37976->37974 37976->37975 37978 41270a 37976->37978 38179 4125f8 7 API calls 37976->38179 37978->37974 38148 411ac5 37978->38148 37989 4125da 37988->37989 37990 4125f0 37989->37990 37991 4125e6 DeleteObject 37989->37991 37993 40b1ab ??3@YAXPAX ??3@YAXPAX 37990->37993 37991->37990 37992->37905 37993->37902 37995 40b640 37994->37995 37996 40b639 ??3@YAXPAX 37994->37996 37997 40b1ab ??3@YAXPAX ??3@YAXPAX 37995->37997 37996->37995 37997->37910 37999 40a83b GetSystemDirectoryW 37998->37999 38000 40a84c wcscpy 37998->38000 37999->38000 38005 409719 wcslen 38000->38005 38003 40a881 LoadLibraryW 38004 40a886 38003->38004 38004->37928 38004->37931 38006 409724 38005->38006 38007 409739 wcscat LoadLibraryW 38005->38007 38006->38007 38008 40972c wcscat 38006->38008 38007->38003 38007->38004 38008->38007 38010 444732 38009->38010 38011 444728 DeleteObject 38009->38011 38021 409cc3 38010->38021 38011->38010 38013 412551 38014 4010f9 38013->38014 38015 401130 38014->38015 38016 401134 GetModuleHandleW LoadIconW 38015->38016 38017 401107 wcsncat 38015->38017 38018 40a7be 38016->38018 38017->38015 38019 40a7d2 38018->38019 38019->37943 38019->38019 38020->37937 38024 409bfd memset wcscpy 38021->38024 38023 409cdb CreateFontIndirectW 38023->38013 38024->38023 38025->37955 38027 40aa14 38026->38027 38028 40aa0a ??3@YAXPAX 38026->38028 38027->37958 38028->38027 38030 40a8eb 38029->38030 38031 40a8df wcslen 38029->38031 38032 40a906 ??3@YAXPAX 38030->38032 38033 40a90f 38030->38033 38031->38030 38034 40a919 38032->38034 38035 4099f4 3 API calls 38033->38035 38036 40a932 38034->38036 38037 40a929 ??3@YAXPAX 38034->38037 38035->38034 38039 4099f4 3 API calls 38036->38039 38038 40a93e memcpy 38037->38038 38038->37955 38040 40a93d 38039->38040 38040->38038 38042 409a41 38041->38042 38043 4099fb malloc 38041->38043 38042->37955 38045 409a37 38043->38045 38046 409a1c 38043->38046 38045->37955 38047 409a30 ??3@YAXPAX 38046->38047 38048 409a20 memcpy 38046->38048 38047->38045 38048->38047 38050 40a9e7 38049->38050 38051 40a9dc ??3@YAXPAX 38049->38051 38053 4099f4 3 API calls 38050->38053 38052 40a9f2 38051->38052 38052->37956 38053->38052 38078 409bca GetModuleFileNameW 38054->38078 38056 40dce6 wcsrchr 38057 40dcf5 38056->38057 38058 40dcf9 wcscat 38056->38058 38057->38058 38058->37964 38079 44db70 38059->38079 38063 40dbfd 38082 4447d9 38063->38082 38066 40dc34 wcscpy wcscpy 38108 40d6f5 38066->38108 38067 40dc1f wcscpy 38067->38066 38070 40d6f5 3 API calls 38071 40dc73 38070->38071 38072 40d6f5 3 API calls 38071->38072 38073 40dc89 38072->38073 38074 40d6f5 3 API calls 38073->38074 38075 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38074->38075 38114 40da80 38075->38114 38078->38056 38080 40dbb4 memset memset 38079->38080 38081 409bca GetModuleFileNameW 38080->38081 38081->38063 38084 4447f4 38082->38084 38083 40dc1b 38083->38066 38083->38067 38084->38083 38085 444807 ??2@YAPAXI 38084->38085 38086 44481f 38085->38086 38087 444873 _snwprintf 38086->38087 38088 4448ab wcscpy 38086->38088 38121 44474a 8 API calls 38087->38121 38090 4448bb 38088->38090 38122 44474a 8 API calls 38090->38122 38091 4448a7 38091->38088 38091->38090 38093 4448cd 38123 44474a 8 API calls 38093->38123 38095 4448e2 38124 44474a 8 API calls 38095->38124 38097 4448f7 38125 44474a 8 API calls 38097->38125 38099 44490c 38126 44474a 8 API calls 38099->38126 38101 444921 38127 44474a 8 API calls 38101->38127 38103 444936 38128 44474a 8 API calls 38103->38128 38105 44494b 38129 44474a 8 API calls 38105->38129 38107 444960 ??3@YAXPAX 38107->38083 38109 44db70 38108->38109 38110 40d702 memset GetPrivateProfileStringW 38109->38110 38111 40d752 38110->38111 38112 40d75c WritePrivateProfileStringW 38110->38112 38111->38112 38113 40d758 38111->38113 38112->38113 38113->38070 38115 44db70 38114->38115 38116 40da8d memset 38115->38116 38117 40daac LoadStringW 38116->38117 38118 40dac6 38117->38118 38118->38117 38120 40dade 38118->38120 38130 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38118->38130 38120->37892 38121->38091 38122->38093 38123->38095 38124->38097 38125->38099 38126->38101 38127->38103 38128->38105 38129->38107 38130->38118 38141 409b98 GetFileAttributesW 38131->38141 38133 40daea 38134 40db63 38133->38134 38135 40daef wcscpy wcscpy GetPrivateProfileIntW 38133->38135 38134->37894 38142 40d65d GetPrivateProfileStringW 38135->38142 38137 40db3e 38143 40d65d GetPrivateProfileStringW 38137->38143 38139 40db4f 38144 40d65d GetPrivateProfileStringW 38139->38144 38141->38133 38142->38137 38143->38139 38144->38134 38180 40eaff 38145->38180 38149 411ae2 memset 38148->38149 38150 411b8f 38148->38150 38220 409bca GetModuleFileNameW 38149->38220 38162 411a8b 38150->38162 38152 411b0a wcsrchr 38153 411b22 wcscat 38152->38153 38154 411b1f 38152->38154 38221 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38153->38221 38154->38153 38156 411b67 38222 402afb 38156->38222 38160 411b7f 38278 40ea13 SendMessageW memset SendMessageW 38160->38278 38163 402afb 27 API calls 38162->38163 38164 411ac0 38163->38164 38165 4110dc 38164->38165 38166 41113e 38165->38166 38171 4110f0 38165->38171 38303 40969c LoadCursorW SetCursor 38166->38303 38168 411143 38304 4032b4 38168->38304 38322 444a54 38168->38322 38169 4110f7 _wcsicmp 38169->38171 38170 411157 38172 40ada2 _wcsicmp 38170->38172 38171->38166 38171->38169 38325 410c46 10 API calls 38171->38325 38175 411167 38172->38175 38173 4111af 38175->38173 38176 4111a6 qsort 38175->38176 38176->38173 38179->37976 38181 40eb10 38180->38181 38193 40e8e0 38181->38193 38184 40eb6c memcpy memcpy 38185 40ebb7 38184->38185 38185->38184 38186 40ebf2 ??2@YAPAXI ??2@YAPAXI 38185->38186 38189 40d134 16 API calls 38185->38189 38187 40ec2e ??2@YAPAXI 38186->38187 38190 40ec65 38186->38190 38187->38190 38189->38185 38190->38190 38203 40ea7f 38190->38203 38192 402f49 38192->37976 38194 40e8f2 38193->38194 38195 40e8eb ??3@YAXPAX 38193->38195 38196 40e900 38194->38196 38197 40e8f9 ??3@YAXPAX 38194->38197 38195->38194 38198 40e911 38196->38198 38199 40e90a ??3@YAXPAX 38196->38199 38197->38196 38200 40e931 ??2@YAPAXI ??2@YAPAXI 38198->38200 38201 40e921 ??3@YAXPAX 38198->38201 38202 40e92a ??3@YAXPAX 38198->38202 38199->38198 38200->38184 38201->38202 38202->38200 38204 40aa04 ??3@YAXPAX 38203->38204 38205 40ea88 38204->38205 38206 40aa04 ??3@YAXPAX 38205->38206 38207 40ea90 38206->38207 38208 40aa04 ??3@YAXPAX 38207->38208 38209 40ea98 38208->38209 38210 40aa04 ??3@YAXPAX 38209->38210 38211 40eaa0 38210->38211 38212 40a9ce 4 API calls 38211->38212 38213 40eab3 38212->38213 38214 40a9ce 4 API calls 38213->38214 38215 40eabd 38214->38215 38216 40a9ce 4 API calls 38215->38216 38217 40eac7 38216->38217 38218 40a9ce 4 API calls 38217->38218 38219 40ead1 38218->38219 38219->38192 38220->38152 38221->38156 38279 40b2cc 38222->38279 38224 402b0a 38225 40b2cc 27 API calls 38224->38225 38226 402b23 38225->38226 38227 40b2cc 27 API calls 38226->38227 38228 402b3a 38227->38228 38229 40b2cc 27 API calls 38228->38229 38230 402b54 38229->38230 38231 40b2cc 27 API calls 38230->38231 38232 402b6b 38231->38232 38233 40b2cc 27 API calls 38232->38233 38234 402b82 38233->38234 38235 40b2cc 27 API calls 38234->38235 38236 402b99 38235->38236 38237 40b2cc 27 API calls 38236->38237 38238 402bb0 38237->38238 38239 40b2cc 27 API calls 38238->38239 38240 402bc7 38239->38240 38241 40b2cc 27 API calls 38240->38241 38242 402bde 38241->38242 38243 40b2cc 27 API calls 38242->38243 38244 402bf5 38243->38244 38245 40b2cc 27 API calls 38244->38245 38246 402c0c 38245->38246 38247 40b2cc 27 API calls 38246->38247 38248 402c23 38247->38248 38249 40b2cc 27 API calls 38248->38249 38250 402c3a 38249->38250 38251 40b2cc 27 API calls 38250->38251 38252 402c51 38251->38252 38253 40b2cc 27 API calls 38252->38253 38254 402c68 38253->38254 38255 40b2cc 27 API calls 38254->38255 38256 402c7f 38255->38256 38257 40b2cc 27 API calls 38256->38257 38258 402c99 38257->38258 38259 40b2cc 27 API calls 38258->38259 38260 402cb3 38259->38260 38261 40b2cc 27 API calls 38260->38261 38262 402cd5 38261->38262 38263 40b2cc 27 API calls 38262->38263 38264 402cf0 38263->38264 38265 40b2cc 27 API calls 38264->38265 38266 402d0b 38265->38266 38267 40b2cc 27 API calls 38266->38267 38268 402d26 38267->38268 38269 40b2cc 27 API calls 38268->38269 38270 402d3e 38269->38270 38271 40b2cc 27 API calls 38270->38271 38272 402d59 38271->38272 38273 40b2cc 27 API calls 38272->38273 38274 402d78 38273->38274 38275 40b2cc 27 API calls 38274->38275 38276 402d93 38275->38276 38277 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38276->38277 38277->38160 38278->38150 38282 40b58d 38279->38282 38281 40b2d1 38281->38224 38283 40b5a4 GetModuleHandleW FindResourceW 38282->38283 38284 40b62e 38282->38284 38285 40b5c2 LoadResource 38283->38285 38287 40b5e7 38283->38287 38284->38281 38286 40b5d0 SizeofResource LockResource 38285->38286 38285->38287 38286->38287 38287->38284 38295 40afcf 38287->38295 38289 40b608 memcpy 38298 40b4d3 memcpy 38289->38298 38291 40b61e 38299 40b3c1 18 API calls 38291->38299 38293 40b626 38300 40b04b 38293->38300 38296 40b04b ??3@YAXPAX 38295->38296 38297 40afd7 ??2@YAPAXI 38296->38297 38297->38289 38298->38291 38299->38293 38301 40b051 ??3@YAXPAX 38300->38301 38302 40b05f 38300->38302 38301->38302 38302->38284 38303->38168 38305 4032c4 38304->38305 38306 40b633 ??3@YAXPAX 38305->38306 38307 403316 38306->38307 38326 44553b 38307->38326 38311 403480 38522 40368c 15 API calls 38311->38522 38313 403489 38314 40b633 ??3@YAXPAX 38313->38314 38315 403495 38314->38315 38315->38170 38316 4033a9 memset memcpy 38317 4033ec wcscmp 38316->38317 38318 40333c 38316->38318 38317->38318 38318->38311 38318->38316 38318->38317 38520 4028e7 11 API calls 38318->38520 38521 40f508 6 API calls 38318->38521 38320 403421 _wcsicmp 38320->38318 38323 444a64 FreeLibrary 38322->38323 38324 444a83 38322->38324 38323->38324 38324->38170 38325->38171 38327 445548 38326->38327 38328 445599 38327->38328 38523 40c768 38327->38523 38329 4455a8 memset 38328->38329 38336 4457f2 38328->38336 38606 403988 38329->38606 38340 445854 38336->38340 38708 403e2d memset memset memset memset memset 38336->38708 38337 445672 38617 403fbe memset memset memset memset memset 38337->38617 38338 4458bb memset memset 38344 414c2e 16 API calls 38338->38344 38389 4458aa 38340->38389 38731 403c9c memset memset memset memset memset 38340->38731 38342 44595e memset memset 38349 414c2e 16 API calls 38342->38349 38343 4455e5 38343->38337 38352 44560f 38343->38352 38345 4458f9 38344->38345 38350 40b2cc 27 API calls 38345->38350 38347 445a00 memset memset 38754 414c2e 38347->38754 38348 445b22 38354 445bca 38348->38354 38355 445b38 memset memset memset 38348->38355 38359 44599c 38349->38359 38360 445909 38350->38360 38351 44557a 38386 44558c 38351->38386 38803 41366b FreeLibrary 38351->38803 38363 4087b3 338 API calls 38352->38363 38353 445849 38818 40b1ab ??3@YAXPAX ??3@YAXPAX 38353->38818 38361 445c8b memset memset 38354->38361 38428 445cf0 38354->38428 38364 445bd4 38355->38364 38365 445b98 38355->38365 38368 40b2cc 27 API calls 38359->38368 38369 409d1f 6 API calls 38360->38369 38372 414c2e 16 API calls 38361->38372 38362 44589f 38819 40b1ab ??3@YAXPAX ??3@YAXPAX 38362->38819 38370 445621 38363->38370 38378 414c2e 16 API calls 38364->38378 38365->38364 38374 445ba2 38365->38374 38371 4459ac 38368->38371 38382 445919 38369->38382 38804 4454bf 20 API calls 38370->38804 38384 409d1f 6 API calls 38371->38384 38385 445cc9 38372->38385 38891 4099c6 wcslen 38374->38891 38375 4456b2 38806 40b1ab ??3@YAXPAX ??3@YAXPAX 38375->38806 38377 40b2cc 27 API calls 38390 445a4f 38377->38390 38392 445be2 38378->38392 38379 403335 38519 4452e5 45 API calls 38379->38519 38380 445d3d 38412 40b2cc 27 API calls 38380->38412 38381 445d88 memset memset memset 38395 414c2e 16 API calls 38381->38395 38820 409b98 GetFileAttributesW 38382->38820 38383 445823 38383->38353 38394 4087b3 338 API calls 38383->38394 38396 4459bc 38384->38396 38397 409d1f 6 API calls 38385->38397 38590 444b06 38386->38590 38387 445879 38387->38362 38408 4087b3 338 API calls 38387->38408 38389->38338 38413 44594a 38389->38413 38769 409d1f wcslen wcslen 38390->38769 38401 40b2cc 27 API calls 38392->38401 38394->38383 38405 445dde 38395->38405 38887 409b98 GetFileAttributesW 38396->38887 38407 445ce1 38397->38407 38398 445bb3 38894 445403 memset 38398->38894 38399 445680 38399->38375 38640 4087b3 memset 38399->38640 38402 445bf3 38401->38402 38411 409d1f 6 API calls 38402->38411 38403 445928 38403->38413 38821 40b6ef 38403->38821 38414 40b2cc 27 API calls 38405->38414 38911 409b98 GetFileAttributesW 38407->38911 38408->38387 38422 445c07 38411->38422 38423 445d54 _wcsicmp 38412->38423 38413->38342 38427 4459ed 38413->38427 38426 445def 38414->38426 38415 4459cb 38415->38427 38436 40b6ef 252 API calls 38415->38436 38419 40b2cc 27 API calls 38420 445a94 38419->38420 38774 40ae18 38420->38774 38421 44566d 38421->38336 38691 413d4c 38421->38691 38432 445389 258 API calls 38422->38432 38433 445d71 38423->38433 38498 445d67 38423->38498 38425 445665 38805 40b1ab ??3@YAXPAX ??3@YAXPAX 38425->38805 38434 409d1f 6 API calls 38426->38434 38427->38347 38427->38348 38428->38379 38428->38380 38428->38381 38429 445389 258 API calls 38429->38354 38438 445c17 38432->38438 38912 445093 23 API calls 38433->38912 38441 445e03 38434->38441 38436->38427 38437 4456d8 38443 40b2cc 27 API calls 38437->38443 38444 40b2cc 27 API calls 38438->38444 38440 44563c 38440->38425 38446 4087b3 338 API calls 38440->38446 38913 409b98 GetFileAttributesW 38441->38913 38442 40b6ef 252 API calls 38442->38379 38448 4456e2 38443->38448 38449 445c23 38444->38449 38445 445d83 38445->38379 38446->38440 38807 413fa6 _wcsicmp _wcsicmp 38448->38807 38453 409d1f 6 API calls 38449->38453 38451 445e12 38458 445e6b 38451->38458 38464 40b2cc 27 API calls 38451->38464 38456 445c37 38453->38456 38454 445aa1 38457 445b17 38454->38457 38472 445ab2 memset 38454->38472 38485 409d1f 6 API calls 38454->38485 38781 40add4 38454->38781 38786 445389 38454->38786 38795 40ae51 38454->38795 38455 4456eb 38460 4456fd memset memset memset memset 38455->38460 38461 4457ea 38455->38461 38462 445389 258 API calls 38456->38462 38888 40aebe 38457->38888 38915 445093 23 API calls 38458->38915 38808 409c70 wcscpy wcsrchr 38460->38808 38811 413d29 38461->38811 38467 445c47 38462->38467 38468 445e33 38464->38468 38474 40b2cc 27 API calls 38467->38474 38475 409d1f 6 API calls 38468->38475 38470 445e7e 38471 445f67 38470->38471 38480 40b2cc 27 API calls 38471->38480 38476 40b2cc 27 API calls 38472->38476 38478 445c53 38474->38478 38479 445e47 38475->38479 38476->38454 38477 409c70 2 API calls 38481 44577e 38477->38481 38482 409d1f 6 API calls 38478->38482 38914 409b98 GetFileAttributesW 38479->38914 38484 445f73 38480->38484 38486 409c70 2 API calls 38481->38486 38487 445c67 38482->38487 38489 409d1f 6 API calls 38484->38489 38485->38454 38490 44578d 38486->38490 38491 445389 258 API calls 38487->38491 38488 445e56 38488->38458 38494 445e83 memset 38488->38494 38492 445f87 38489->38492 38490->38461 38497 40b2cc 27 API calls 38490->38497 38491->38354 38918 409b98 GetFileAttributesW 38492->38918 38496 40b2cc 27 API calls 38494->38496 38499 445eab 38496->38499 38500 4457a8 38497->38500 38498->38379 38498->38442 38501 409d1f 6 API calls 38499->38501 38502 409d1f 6 API calls 38500->38502 38503 445ebf 38501->38503 38504 4457b8 38502->38504 38505 40ae18 9 API calls 38503->38505 38810 409b98 GetFileAttributesW 38504->38810 38515 445ef5 38505->38515 38507 4457c7 38507->38461 38509 4087b3 338 API calls 38507->38509 38508 40ae51 9 API calls 38508->38515 38509->38461 38510 445f5c 38512 40aebe FindClose 38510->38512 38511 40add4 2 API calls 38511->38515 38512->38471 38513 40b2cc 27 API calls 38513->38515 38514 409d1f 6 API calls 38514->38515 38515->38508 38515->38510 38515->38511 38515->38513 38515->38514 38517 445f3a 38515->38517 38916 409b98 GetFileAttributesW 38515->38916 38917 445093 23 API calls 38517->38917 38519->38318 38520->38320 38521->38318 38522->38313 38524 40c775 38523->38524 38919 40b1ab ??3@YAXPAX ??3@YAXPAX 38524->38919 38526 40c788 38920 40b1ab ??3@YAXPAX ??3@YAXPAX 38526->38920 38528 40c790 38921 40b1ab ??3@YAXPAX ??3@YAXPAX 38528->38921 38530 40c798 38531 40aa04 ??3@YAXPAX 38530->38531 38532 40c7a0 38531->38532 38922 40c274 memset 38532->38922 38537 40a8ab 9 API calls 38538 40c7c3 38537->38538 38539 40a8ab 9 API calls 38538->38539 38540 40c7d0 38539->38540 38951 40c3c3 38540->38951 38544 40c877 38553 40bdb0 38544->38553 38545 40c86c 38993 4053fe 39 API calls 38545->38993 38547 40c7e5 38547->38544 38547->38545 38552 40c634 49 API calls 38547->38552 38976 40a706 38547->38976 38552->38547 39161 404363 38553->39161 38556 40bf5d 39181 40440c 38556->39181 38558 40bdee 38558->38556 38561 40b2cc 27 API calls 38558->38561 38559 40bddf CredEnumerateW 38559->38558 38562 40be02 wcslen 38561->38562 38562->38556 38565 40be1e 38562->38565 38563 40be26 _wcsncoll 38563->38565 38565->38556 38565->38563 38567 40be7d memset 38565->38567 38568 40bea7 memcpy 38565->38568 38569 40bf11 wcschr 38565->38569 38570 40b2cc 27 API calls 38565->38570 38572 40bf43 LocalFree 38565->38572 39184 40bd5d 28 API calls 38565->39184 39185 404423 38565->39185 38567->38565 38567->38568 38568->38565 38568->38569 38569->38565 38571 40bef6 _wcsnicmp 38570->38571 38571->38565 38571->38569 38572->38565 38573 4135f7 39198 4135e0 38573->39198 38576 40b2cc 27 API calls 38577 41360d 38576->38577 38578 40a804 8 API calls 38577->38578 38579 413613 38578->38579 38580 41361b 38579->38580 38581 41363e 38579->38581 38582 40b273 27 API calls 38580->38582 38583 4135e0 FreeLibrary 38581->38583 38584 413625 GetProcAddress 38582->38584 38585 413643 38583->38585 38584->38581 38586 413648 38584->38586 38585->38351 38587 413658 38586->38587 38588 4135e0 FreeLibrary 38586->38588 38587->38351 38589 413666 38588->38589 38589->38351 39201 4449b9 38590->39201 38593 444c1f 38593->38328 38594 4449b9 42 API calls 38596 444b4b 38594->38596 38595 444c15 38598 4449b9 42 API calls 38595->38598 38596->38595 39222 444972 GetVersionExW 38596->39222 38598->38593 38599 444b99 memcmp 38604 444b8c 38599->38604 38600 444c0b 39226 444a85 42 API calls 38600->39226 38604->38599 38604->38600 39223 444aa5 42 API calls 38604->39223 39224 40a7a0 GetVersionExW 38604->39224 39225 444a85 42 API calls 38604->39225 38607 40399d 38606->38607 39227 403a16 38607->39227 38609 403a09 39241 40b1ab ??3@YAXPAX ??3@YAXPAX 38609->39241 38611 403a12 wcsrchr 38611->38343 38612 4039a3 38612->38609 38615 4039f4 38612->38615 39238 40a02c CreateFileW 38612->39238 38615->38609 38616 4099c6 2 API calls 38615->38616 38616->38609 38618 414c2e 16 API calls 38617->38618 38619 404048 38618->38619 38620 414c2e 16 API calls 38619->38620 38621 404056 38620->38621 38622 409d1f 6 API calls 38621->38622 38623 404073 38622->38623 38624 409d1f 6 API calls 38623->38624 38625 40408e 38624->38625 38626 409d1f 6 API calls 38625->38626 38627 4040a6 38626->38627 38628 403af5 20 API calls 38627->38628 38629 4040ba 38628->38629 38630 403af5 20 API calls 38629->38630 38631 4040cb 38630->38631 39268 40414f memset 38631->39268 38633 404140 39282 40b1ab ??3@YAXPAX ??3@YAXPAX 38633->39282 38635 4040ec memset 38638 4040e0 38635->38638 38636 404148 38636->38399 38637 4099c6 2 API calls 38637->38638 38638->38633 38638->38635 38638->38637 38639 40a8ab 9 API calls 38638->38639 38639->38638 39295 40a6e6 WideCharToMultiByte 38640->39295 38642 4087ed 39296 4095d9 memset 38642->39296 38645 408953 38645->38399 38646 408809 memset memset memset memset memset 38647 40b2cc 27 API calls 38646->38647 38648 4088a1 38647->38648 38649 409d1f 6 API calls 38648->38649 38650 4088b1 38649->38650 38651 40b2cc 27 API calls 38650->38651 38652 4088c0 38651->38652 38653 409d1f 6 API calls 38652->38653 38654 4088d0 38653->38654 38655 40b2cc 27 API calls 38654->38655 38656 4088df 38655->38656 38657 409d1f 6 API calls 38656->38657 38658 4088ef 38657->38658 38659 40b2cc 27 API calls 38658->38659 38660 4088fe 38659->38660 38661 409d1f 6 API calls 38660->38661 38662 40890e 38661->38662 38663 40b2cc 27 API calls 38662->38663 38664 40891d 38663->38664 38665 409d1f 6 API calls 38664->38665 38666 40892d 38665->38666 38692 40b633 ??3@YAXPAX 38691->38692 38693 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38692->38693 38694 413f00 Process32NextW 38693->38694 38695 413da5 OpenProcess 38694->38695 38696 413f17 FindCloseChangeNotification 38694->38696 38697 413df3 memset 38695->38697 38700 413eb0 38695->38700 38696->38437 39607 413f27 38697->39607 38699 413ebf ??3@YAXPAX 38699->38700 38700->38694 38700->38699 38701 4099f4 3 API calls 38700->38701 38701->38700 38703 413e37 GetModuleHandleW 38704 413e1f 38703->38704 38705 413e46 GetProcAddress 38703->38705 38704->38703 39612 413959 38704->39612 39628 413ca4 38704->39628 38705->38704 38707 413ea2 CloseHandle 38707->38700 38709 414c2e 16 API calls 38708->38709 38710 403eb7 38709->38710 38711 414c2e 16 API calls 38710->38711 38712 403ec5 38711->38712 38713 409d1f 6 API calls 38712->38713 38714 403ee2 38713->38714 38715 409d1f 6 API calls 38714->38715 38716 403efd 38715->38716 38717 409d1f 6 API calls 38716->38717 38718 403f15 38717->38718 38719 403af5 20 API calls 38718->38719 38720 403f29 38719->38720 38721 403af5 20 API calls 38720->38721 38722 403f3a 38721->38722 38723 40414f 33 API calls 38722->38723 38724 403f4f 38723->38724 38725 403faf 38724->38725 38727 403f5b memset 38724->38727 38729 4099c6 2 API calls 38724->38729 38730 40a8ab 9 API calls 38724->38730 39642 40b1ab ??3@YAXPAX ??3@YAXPAX 38725->39642 38727->38724 38728 403fb7 38728->38383 38729->38724 38730->38724 38732 414c2e 16 API calls 38731->38732 38733 403d26 38732->38733 38734 414c2e 16 API calls 38733->38734 38735 403d34 38734->38735 38736 409d1f 6 API calls 38735->38736 38737 403d51 38736->38737 38738 409d1f 6 API calls 38737->38738 38739 403d6c 38738->38739 38740 409d1f 6 API calls 38739->38740 38741 403d84 38740->38741 38742 403af5 20 API calls 38741->38742 38743 403d98 38742->38743 38744 403af5 20 API calls 38743->38744 38745 403da9 38744->38745 38746 40414f 33 API calls 38745->38746 38747 403dbe 38746->38747 38748 403e1e 38747->38748 38749 403dca memset 38747->38749 38752 4099c6 2 API calls 38747->38752 38753 40a8ab 9 API calls 38747->38753 39643 40b1ab ??3@YAXPAX ??3@YAXPAX 38748->39643 38749->38747 38751 403e26 38751->38387 38752->38747 38753->38747 38755 414b81 9 API calls 38754->38755 38756 414c40 38755->38756 38757 414c73 memset 38756->38757 39644 409cea 38756->39644 38758 414c94 38757->38758 39647 414592 RegOpenKeyExW 38758->39647 38761 414c64 38761->38377 38763 414cc1 38764 414cf4 wcscpy 38763->38764 39648 414bb0 wcscpy 38763->39648 38764->38761 38766 414cd2 39649 4145ac RegQueryValueExW 38766->39649 38768 414ce9 RegCloseKey 38768->38764 38770 409d62 38769->38770 38771 409d43 wcscpy 38769->38771 38770->38419 38772 409719 2 API calls 38771->38772 38773 409d51 wcscat 38772->38773 38773->38770 38775 40aebe FindClose 38774->38775 38776 40ae21 38775->38776 38777 4099c6 2 API calls 38776->38777 38778 40ae35 38777->38778 38779 409d1f 6 API calls 38778->38779 38780 40ae49 38779->38780 38780->38454 38782 40ade0 38781->38782 38783 40ae0f 38781->38783 38782->38783 38784 40ade7 wcscmp 38782->38784 38783->38454 38784->38783 38785 40adfe wcscmp 38784->38785 38785->38783 38787 40ae18 9 API calls 38786->38787 38793 4453c4 38787->38793 38788 40ae51 9 API calls 38788->38793 38789 4453f3 38791 40aebe FindClose 38789->38791 38790 40add4 2 API calls 38790->38793 38792 4453fe 38791->38792 38792->38454 38793->38788 38793->38789 38793->38790 38794 445403 253 API calls 38793->38794 38794->38793 38796 40ae7b FindNextFileW 38795->38796 38797 40ae5c FindFirstFileW 38795->38797 38798 40ae94 38796->38798 38799 40ae8f 38796->38799 38797->38798 38801 40aeb6 38798->38801 38802 409d1f 6 API calls 38798->38802 38800 40aebe FindClose 38799->38800 38800->38798 38801->38454 38802->38801 38803->38386 38804->38440 38805->38421 38806->38421 38807->38455 38809 409c89 38808->38809 38809->38477 38810->38507 38812 413d39 38811->38812 38813 413d2f FreeLibrary 38811->38813 38814 40b633 ??3@YAXPAX 38812->38814 38813->38812 38815 413d42 38814->38815 38816 40b633 ??3@YAXPAX 38815->38816 38817 413d4a 38816->38817 38817->38336 38818->38340 38819->38389 38820->38403 38822 44db70 38821->38822 38823 40b6fc memset 38822->38823 38824 409c70 2 API calls 38823->38824 38825 40b732 wcsrchr 38824->38825 38826 40b743 38825->38826 38827 40b746 memset 38825->38827 38826->38827 38828 40b2cc 27 API calls 38827->38828 38829 40b76f 38828->38829 38830 409d1f 6 API calls 38829->38830 38831 40b783 38830->38831 39650 409b98 GetFileAttributesW 38831->39650 38833 40b792 38834 40b7c2 38833->38834 38835 409c70 2 API calls 38833->38835 39651 40bb98 38834->39651 38837 40b7a5 38835->38837 38839 40b2cc 27 API calls 38837->38839 38843 40b7b2 38839->38843 38840 40b837 FindCloseChangeNotification 38842 40b83e memset 38840->38842 38841 40b817 39685 409a45 GetTempPathW 38841->39685 39684 40a6e6 WideCharToMultiByte 38842->39684 38846 409d1f 6 API calls 38843->38846 38846->38834 38847 40b827 CopyFileW 38847->38842 38848 40b866 38849 444432 121 API calls 38848->38849 38850 40b879 38849->38850 38851 40bad5 38850->38851 38852 40b273 27 API calls 38850->38852 38853 40baeb 38851->38853 38854 40bade DeleteFileW 38851->38854 38855 40b89a 38852->38855 38856 40b04b ??3@YAXPAX 38853->38856 38854->38853 38857 438552 134 API calls 38855->38857 38858 40baf3 38856->38858 38859 40b8a4 38857->38859 38858->38413 38860 40bacd 38859->38860 38862 4251c4 137 API calls 38859->38862 38861 443d90 111 API calls 38860->38861 38861->38851 38885 40b8b8 38862->38885 38863 40bac6 39697 424f26 123 API calls 38863->39697 38864 40b8bd memset 39688 425413 17 API calls 38864->39688 38867 425413 17 API calls 38867->38885 38870 40a71b MultiByteToWideChar 38870->38885 38871 40a734 MultiByteToWideChar 38871->38885 38874 40b9b5 memcmp 38874->38885 38875 4099c6 2 API calls 38875->38885 38876 404423 37 API calls 38876->38885 38878 40bb3e memset memcpy 39698 40a734 MultiByteToWideChar 38878->39698 38879 4251c4 137 API calls 38879->38885 38882 40bb88 LocalFree 38882->38885 38885->38863 38885->38864 38885->38867 38885->38870 38885->38871 38885->38874 38885->38875 38885->38876 38885->38878 38885->38879 38886 40ba5f memcmp 38885->38886 39689 4253ef 16 API calls 38885->39689 39690 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38885->39690 39691 4253af 17 API calls 38885->39691 39692 4253cf 17 API calls 38885->39692 39693 447280 memset 38885->39693 39694 447960 memset memcpy memcpy memcpy 38885->39694 39695 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38885->39695 39696 447920 memcpy memcpy memcpy 38885->39696 38886->38885 38887->38415 38889 40aed1 38888->38889 38890 40aec7 FindClose 38888->38890 38889->38348 38890->38889 38892 4099d7 38891->38892 38893 4099da memcpy 38891->38893 38892->38893 38893->38398 38895 40b2cc 27 API calls 38894->38895 38896 44543f 38895->38896 38897 409d1f 6 API calls 38896->38897 38898 44544f 38897->38898 39790 409b98 GetFileAttributesW 38898->39790 38900 44545e 38901 445476 38900->38901 38902 40b6ef 252 API calls 38900->38902 38903 40b2cc 27 API calls 38901->38903 38902->38901 38904 445482 38903->38904 38905 409d1f 6 API calls 38904->38905 38906 445492 38905->38906 39791 409b98 GetFileAttributesW 38906->39791 38908 4454a1 38909 4454b9 38908->38909 38910 40b6ef 252 API calls 38908->38910 38909->38429 38910->38909 38911->38428 38912->38445 38913->38451 38914->38488 38915->38470 38916->38515 38917->38515 38918->38498 38919->38526 38920->38528 38921->38530 38923 414c2e 16 API calls 38922->38923 38924 40c2ae 38923->38924 38994 40c1d3 38924->38994 38929 40c3be 38946 40a8ab 38929->38946 38930 40afcf 2 API calls 38931 40c2fd FindFirstUrlCacheEntryW 38930->38931 38932 40c3b6 38931->38932 38933 40c31e wcschr 38931->38933 38934 40b04b ??3@YAXPAX 38932->38934 38935 40c331 38933->38935 38936 40c35e FindNextUrlCacheEntryW 38933->38936 38934->38929 38937 40a8ab 9 API calls 38935->38937 38936->38933 38938 40c373 GetLastError 38936->38938 38941 40c33e wcschr 38937->38941 38939 40c3ad FindCloseUrlCache 38938->38939 38940 40c37e 38938->38940 38939->38932 38942 40afcf 2 API calls 38940->38942 38941->38936 38943 40c34f 38941->38943 38944 40c391 FindNextUrlCacheEntryW 38942->38944 38945 40a8ab 9 API calls 38943->38945 38944->38933 38944->38939 38945->38936 39088 40a97a 38946->39088 38949 40a8cc 38949->38537 38950 40a8d0 7 API calls 38950->38949 39093 40b1ab ??3@YAXPAX ??3@YAXPAX 38951->39093 38953 40c3dd 38954 40b2cc 27 API calls 38953->38954 38955 40c3e7 38954->38955 39094 414592 RegOpenKeyExW 38955->39094 38957 40c3f4 38958 40c50e 38957->38958 38959 40c3ff 38957->38959 38973 405337 38958->38973 38960 40a9ce 4 API calls 38959->38960 38961 40c418 memset 38960->38961 39095 40aa1d 38961->39095 38964 40c471 38966 40c47a _wcsupr 38964->38966 38965 40c505 RegCloseKey 38965->38958 38967 40a8d0 7 API calls 38966->38967 38968 40c498 38967->38968 38969 40a8d0 7 API calls 38968->38969 38970 40c4ac memset 38969->38970 38971 40aa1d 38970->38971 38972 40c4e4 RegEnumValueW 38971->38972 38972->38965 38972->38966 39097 405220 38973->39097 38977 4099c6 2 API calls 38976->38977 38978 40a714 _wcslwr 38977->38978 38979 40c634 38978->38979 39154 405361 38979->39154 38982 40c65c wcslen 39157 4053b6 39 API calls 38982->39157 38983 40c71d wcslen 38983->38547 38985 40c713 39160 4053df 39 API calls 38985->39160 38986 40c677 38986->38985 39158 40538b 39 API calls 38986->39158 38989 40c6a5 38989->38985 38990 40c6a9 memset 38989->38990 38991 40c6d3 38990->38991 39159 40c589 43 API calls 38991->39159 38993->38544 38995 40ae18 9 API calls 38994->38995 39001 40c210 38995->39001 38996 40ae51 9 API calls 38996->39001 38997 40c264 38998 40aebe FindClose 38997->38998 39000 40c26f 38998->39000 38999 40add4 2 API calls 38999->39001 39006 40e5ed memset memset 39000->39006 39001->38996 39001->38997 39001->38999 39002 40c231 _wcsicmp 39001->39002 39003 40c1d3 35 API calls 39001->39003 39002->39001 39004 40c248 39002->39004 39003->39001 39019 40c084 22 API calls 39004->39019 39007 414c2e 16 API calls 39006->39007 39008 40e63f 39007->39008 39009 409d1f 6 API calls 39008->39009 39010 40e658 39009->39010 39020 409b98 GetFileAttributesW 39010->39020 39012 40e667 39013 40e680 39012->39013 39015 409d1f 6 API calls 39012->39015 39021 409b98 GetFileAttributesW 39013->39021 39015->39013 39016 40e68f 39017 40c2d8 39016->39017 39022 40e4b2 39016->39022 39017->38929 39017->38930 39019->39001 39020->39012 39021->39016 39043 40e01e 39022->39043 39024 40e593 39026 40e5b0 39024->39026 39027 40e59c DeleteFileW 39024->39027 39025 40e521 39025->39024 39066 40e175 39025->39066 39028 40b04b ??3@YAXPAX 39026->39028 39027->39026 39029 40e5bb 39028->39029 39031 40e5c4 CloseHandle 39029->39031 39032 40e5cc 39029->39032 39031->39032 39034 40b633 ??3@YAXPAX 39032->39034 39033 40e573 39035 40e584 39033->39035 39036 40e57c FindCloseChangeNotification 39033->39036 39037 40e5db 39034->39037 39087 40b1ab ??3@YAXPAX ??3@YAXPAX 39035->39087 39036->39035 39040 40b633 ??3@YAXPAX 39037->39040 39039 40e540 39039->39033 39086 40e2ab 30 API calls 39039->39086 39041 40e5e3 39040->39041 39041->39017 39044 406214 22 API calls 39043->39044 39045 40e03c 39044->39045 39046 40e16b 39045->39046 39047 40dd85 74 API calls 39045->39047 39046->39025 39048 40e06b 39047->39048 39048->39046 39049 40afcf ??2@YAPAXI ??3@YAXPAX 39048->39049 39050 40e08d OpenProcess 39049->39050 39051 40e0a4 GetCurrentProcess DuplicateHandle 39050->39051 39055 40e152 39050->39055 39052 40e0d0 GetFileSize 39051->39052 39053 40e14a CloseHandle 39051->39053 39056 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 39052->39056 39053->39055 39054 40e160 39058 40b04b ??3@YAXPAX 39054->39058 39055->39054 39057 406214 22 API calls 39055->39057 39059 40e0ea 39056->39059 39057->39054 39058->39046 39060 4096dc CreateFileW 39059->39060 39061 40e0f1 CreateFileMappingW 39060->39061 39062 40e140 CloseHandle CloseHandle 39061->39062 39063 40e10b MapViewOfFile 39061->39063 39062->39053 39064 40e13b FindCloseChangeNotification 39063->39064 39065 40e11f WriteFile UnmapViewOfFile 39063->39065 39064->39062 39065->39064 39067 40e18c 39066->39067 39068 406b90 11 API calls 39067->39068 39069 40e19f 39068->39069 39070 40e1a7 memset 39069->39070 39071 40e299 39069->39071 39076 40e1e8 39070->39076 39072 4069a3 ??3@YAXPAX ??3@YAXPAX 39071->39072 39073 40e2a4 39072->39073 39073->39039 39074 406e8f 13 API calls 39074->39076 39075 406b53 SetFilePointerEx ReadFile 39075->39076 39076->39074 39076->39075 39077 40e283 39076->39077 39078 40dd50 _wcsicmp 39076->39078 39082 40742e 8 API calls 39076->39082 39083 40aae3 wcslen wcslen _memicmp 39076->39083 39084 40e244 _snwprintf 39076->39084 39079 40e291 39077->39079 39080 40e288 ??3@YAXPAX 39077->39080 39078->39076 39081 40aa04 ??3@YAXPAX 39079->39081 39080->39079 39081->39071 39082->39076 39083->39076 39085 40a8d0 7 API calls 39084->39085 39085->39076 39086->39039 39087->39024 39090 40a980 39088->39090 39089 40a8bb 39089->38949 39089->38950 39090->39089 39091 40a995 _wcsicmp 39090->39091 39092 40a99c wcscmp 39090->39092 39091->39090 39092->39090 39093->38953 39094->38957 39096 40aa23 RegEnumValueW 39095->39096 39096->38964 39096->38965 39098 405335 39097->39098 39099 40522a 39097->39099 39098->38547 39100 40b2cc 27 API calls 39099->39100 39101 405234 39100->39101 39102 40a804 8 API calls 39101->39102 39103 40523a 39102->39103 39142 40b273 39103->39142 39105 405248 _mbscpy _mbscat GetProcAddress 39106 40b273 27 API calls 39105->39106 39107 405279 39106->39107 39145 405211 GetProcAddress 39107->39145 39109 405282 39110 40b273 27 API calls 39109->39110 39111 40528f 39110->39111 39146 405211 GetProcAddress 39111->39146 39113 405298 39114 40b273 27 API calls 39113->39114 39115 4052a5 39114->39115 39147 405211 GetProcAddress 39115->39147 39117 4052ae 39118 40b273 27 API calls 39117->39118 39119 4052bb 39118->39119 39148 405211 GetProcAddress 39119->39148 39121 4052c4 39122 40b273 27 API calls 39121->39122 39123 4052d1 39122->39123 39149 405211 GetProcAddress 39123->39149 39125 4052da 39126 40b273 27 API calls 39125->39126 39127 4052e7 39126->39127 39150 405211 GetProcAddress 39127->39150 39129 4052f0 39130 40b273 27 API calls 39129->39130 39131 4052fd 39130->39131 39151 405211 GetProcAddress 39131->39151 39133 405306 39134 40b273 27 API calls 39133->39134 39135 405313 39134->39135 39152 405211 GetProcAddress 39135->39152 39137 40531c 39138 40b273 27 API calls 39137->39138 39139 405329 39138->39139 39143 40b58d 27 API calls 39142->39143 39144 40b18c 39143->39144 39144->39105 39145->39109 39146->39113 39147->39117 39148->39121 39149->39125 39150->39129 39151->39133 39152->39137 39155 405220 39 API calls 39154->39155 39156 405369 39155->39156 39156->38982 39156->38983 39157->38986 39158->38989 39159->38985 39160->38983 39162 40440c FreeLibrary 39161->39162 39163 40436d 39162->39163 39164 40a804 8 API calls 39163->39164 39165 404377 39164->39165 39166 404383 39165->39166 39167 404405 39165->39167 39168 40b273 27 API calls 39166->39168 39167->38556 39167->38558 39167->38559 39169 40438d GetProcAddress 39168->39169 39170 40b273 27 API calls 39169->39170 39171 4043a7 GetProcAddress 39170->39171 39172 40b273 27 API calls 39171->39172 39173 4043ba GetProcAddress 39172->39173 39174 40b273 27 API calls 39173->39174 39175 4043ce GetProcAddress 39174->39175 39176 40b273 27 API calls 39175->39176 39177 4043e2 GetProcAddress 39176->39177 39178 4043f1 39177->39178 39179 4043f7 39178->39179 39180 40440c FreeLibrary 39178->39180 39179->39167 39180->39167 39182 404413 FreeLibrary 39181->39182 39183 40441e 39181->39183 39182->39183 39183->38573 39184->38565 39186 40442e 39185->39186 39187 40447e 39185->39187 39188 40b2cc 27 API calls 39186->39188 39187->38565 39189 404438 39188->39189 39190 40a804 8 API calls 39189->39190 39191 40443e 39190->39191 39192 404445 39191->39192 39193 404467 39191->39193 39194 40b273 27 API calls 39192->39194 39193->39187 39195 404475 FreeLibrary 39193->39195 39196 40444f GetProcAddress 39194->39196 39195->39187 39196->39193 39197 404460 39196->39197 39197->39193 39199 4135f6 39198->39199 39200 4135eb FreeLibrary 39198->39200 39199->38576 39200->39199 39202 4449c4 39201->39202 39203 444a52 39201->39203 39204 40b2cc 27 API calls 39202->39204 39203->38593 39203->38594 39205 4449cb 39204->39205 39206 40a804 8 API calls 39205->39206 39207 4449d1 39206->39207 39208 40b273 27 API calls 39207->39208 39209 4449dc GetProcAddress 39208->39209 39210 40b273 27 API calls 39209->39210 39211 4449f3 GetProcAddress 39210->39211 39212 40b273 27 API calls 39211->39212 39213 444a04 GetProcAddress 39212->39213 39214 40b273 27 API calls 39213->39214 39215 444a15 GetProcAddress 39214->39215 39216 40b273 27 API calls 39215->39216 39217 444a26 GetProcAddress 39216->39217 39218 40b273 27 API calls 39217->39218 39222->38604 39223->38604 39224->38604 39225->38604 39226->38595 39228 403a29 39227->39228 39242 403bed memset memset 39228->39242 39230 403ae7 39255 40b1ab ??3@YAXPAX ??3@YAXPAX 39230->39255 39231 403a3f memset 39237 403a2f 39231->39237 39233 403aef 39233->38612 39234 409b98 GetFileAttributesW 39234->39237 39235 40a8d0 7 API calls 39235->39237 39236 409d1f 6 API calls 39236->39237 39237->39230 39237->39231 39237->39234 39237->39235 39237->39236 39239 40a051 GetFileTime FindCloseChangeNotification 39238->39239 39240 4039ca CompareFileTime 39238->39240 39239->39240 39240->38612 39241->38611 39243 414c2e 16 API calls 39242->39243 39244 403c38 39243->39244 39245 409719 2 API calls 39244->39245 39246 403c3f wcscat 39245->39246 39247 414c2e 16 API calls 39246->39247 39248 403c61 39247->39248 39249 409719 2 API calls 39248->39249 39250 403c68 wcscat 39249->39250 39256 403af5 39250->39256 39253 403af5 20 API calls 39254 403c95 39253->39254 39254->39237 39255->39233 39257 403b02 39256->39257 39258 40ae18 9 API calls 39257->39258 39266 403b37 39258->39266 39259 403bdb 39261 40aebe FindClose 39259->39261 39260 40add4 wcscmp wcscmp 39260->39266 39262 403be6 39261->39262 39262->39253 39263 40ae18 9 API calls 39263->39266 39264 40ae51 9 API calls 39264->39266 39265 40aebe FindClose 39265->39266 39266->39259 39266->39260 39266->39263 39266->39264 39266->39265 39267 40a8d0 7 API calls 39266->39267 39267->39266 39269 409d1f 6 API calls 39268->39269 39270 404190 39269->39270 39283 409b98 GetFileAttributesW 39270->39283 39272 40419c 39273 4041a7 6 API calls 39272->39273 39274 40435c 39272->39274 39276 40424f 39273->39276 39274->38638 39276->39274 39277 40425e memset 39276->39277 39279 409d1f 6 API calls 39276->39279 39280 40a8ab 9 API calls 39276->39280 39284 414842 39276->39284 39277->39276 39278 404296 wcscpy 39277->39278 39278->39276 39279->39276 39281 4042b6 memset memset _snwprintf wcscpy 39280->39281 39281->39276 39282->38636 39283->39272 39287 41443e 39284->39287 39286 414866 39286->39276 39288 41444b 39287->39288 39289 414451 39288->39289 39290 4144a3 GetPrivateProfileStringW 39288->39290 39291 414491 39289->39291 39292 414455 wcschr 39289->39292 39290->39286 39293 414495 WritePrivateProfileStringW 39291->39293 39292->39291 39294 414463 _snwprintf 39292->39294 39293->39286 39294->39293 39295->38642 39297 40b2cc 27 API calls 39296->39297 39298 409615 39297->39298 39299 409d1f 6 API calls 39298->39299 39300 409625 39299->39300 39325 409b98 GetFileAttributesW 39300->39325 39302 409634 39303 409648 39302->39303 39326 4091b8 memset 39302->39326 39305 40b2cc 27 API calls 39303->39305 39307 408801 39303->39307 39306 40965d 39305->39306 39308 409d1f 6 API calls 39306->39308 39307->38645 39307->38646 39309 40966d 39308->39309 39378 409b98 GetFileAttributesW 39309->39378 39311 40967c 39311->39307 39312 409681 39311->39312 39379 409529 72 API calls 39312->39379 39314 409690 39314->39307 39325->39302 39380 40a6e6 WideCharToMultiByte 39326->39380 39328 409202 39381 444432 39328->39381 39331 40b273 27 API calls 39332 409236 39331->39332 39427 438552 39332->39427 39335 409383 39337 40b273 27 API calls 39335->39337 39339 409399 39337->39339 39341 438552 134 API calls 39339->39341 39358 40951d 39358->39303 39378->39311 39379->39314 39380->39328 39477 4438b5 39381->39477 39383 44444c 39389 409215 39383->39389 39491 415a6d 39383->39491 39385 4442e6 11 API calls 39387 44469e 39385->39387 39386 444486 39388 4444b9 memcpy 39386->39388 39426 4444a4 39386->39426 39387->39389 39391 443d90 111 API calls 39387->39391 39495 415258 39388->39495 39389->39331 39389->39358 39391->39389 39392 444524 39393 444541 39392->39393 39394 44452a 39392->39394 39498 444316 39393->39498 39395 416935 16 API calls 39394->39395 39395->39426 39398 444316 18 API calls 39426->39385 39565 438460 39427->39565 39429 409240 39429->39335 39430 4251c4 39429->39430 39577 424f07 39430->39577 39478 4438d0 39477->39478 39489 4438c9 39477->39489 39479 415378 memcpy memcpy 39478->39479 39480 4438d5 39479->39480 39481 4154e2 10 API calls 39480->39481 39482 443906 39480->39482 39480->39489 39481->39482 39483 443970 memset 39482->39483 39482->39489 39486 44398b 39483->39486 39484 4439a0 39485 415700 10 API calls 39484->39485 39484->39489 39487 4439c0 39485->39487 39486->39484 39488 41975c 10 API calls 39486->39488 39487->39489 39490 418981 10 API calls 39487->39490 39488->39484 39489->39383 39490->39489 39492 415a77 39491->39492 39493 415a8d 39492->39493 39494 415a7e memset 39492->39494 39493->39386 39494->39493 39496 4438b5 11 API calls 39495->39496 39497 41525d 39496->39497 39497->39392 39499 444328 39498->39499 39500 444423 39499->39500 39501 44434e 39499->39501 39502 4446ea 11 API calls 39500->39502 39503 432d4e memset memset memcpy 39501->39503 39509 444381 39502->39509 39504 44435a 39503->39504 39506 444375 39504->39506 39511 44438b 39504->39511 39509->39398 39566 41703f 11 API calls 39565->39566 39567 43847a 39566->39567 39568 43848a 39567->39568 39569 43847e 39567->39569 39571 438270 134 API calls 39568->39571 39570 4446ea 11 API calls 39569->39570 39573 438488 39570->39573 39572 4384aa 39571->39572 39572->39573 39574 424f26 123 API calls 39572->39574 39573->39429 39575 4384bb 39574->39575 39576 438270 134 API calls 39575->39576 39576->39573 39578 424f1f 39577->39578 39579 424f0c 39577->39579 39581 424eea 11 API calls 39578->39581 39580 416760 11 API calls 39579->39580 39634 413f4f 39607->39634 39610 413f37 K32GetModuleFileNameExW 39611 413f4a 39610->39611 39611->38704 39613 413969 wcscpy 39612->39613 39614 41396c wcschr 39612->39614 39626 413a3a 39613->39626 39614->39613 39616 41398e 39614->39616 39639 4097f7 wcslen wcslen _memicmp 39616->39639 39618 41399a 39619 4139a4 memset 39618->39619 39620 4139e6 39618->39620 39640 409dd5 GetWindowsDirectoryW wcscpy 39619->39640 39622 413a31 wcscpy 39620->39622 39623 4139ec memset 39620->39623 39622->39626 39641 409dd5 GetWindowsDirectoryW wcscpy 39623->39641 39624 4139c9 wcscpy wcscat 39624->39626 39626->38704 39627 413a11 memcpy wcscat 39627->39626 39629 413cb0 GetModuleHandleW 39628->39629 39630 413cda 39628->39630 39629->39630 39631 413cbf GetProcAddress 39629->39631 39632 413ce3 GetProcessTimes 39630->39632 39633 413cf6 39630->39633 39631->39630 39632->38707 39633->38707 39635 413f2f 39634->39635 39636 413f54 39634->39636 39635->39610 39635->39611 39637 40a804 8 API calls 39636->39637 39638 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39637->39638 39638->39635 39639->39618 39640->39624 39641->39627 39642->38728 39643->38751 39645 409cf9 GetVersionExW 39644->39645 39646 409d0a 39644->39646 39645->39646 39646->38757 39646->38761 39647->38763 39648->38766 39649->38768 39650->38833 39652 40bba5 39651->39652 39699 40cc26 39652->39699 39655 40bd4b 39720 40cc0c 39655->39720 39660 40b2cc 27 API calls 39661 40bbef 39660->39661 39727 40ccf0 _wcsicmp 39661->39727 39663 40bbf5 39663->39655 39728 40ccb4 6 API calls 39663->39728 39665 40bc26 39666 40cf04 17 API calls 39665->39666 39667 40bc2e 39666->39667 39668 40bd43 39667->39668 39669 40b2cc 27 API calls 39667->39669 39670 40cc0c 4 API calls 39668->39670 39671 40bc40 39669->39671 39670->39655 39729 40ccf0 _wcsicmp 39671->39729 39673 40bc46 39673->39668 39674 40bc61 memset memset WideCharToMultiByte 39673->39674 39730 40103c strlen 39674->39730 39676 40bcc0 39677 40b273 27 API calls 39676->39677 39678 40bcd0 memcmp 39677->39678 39678->39668 39679 40bce2 39678->39679 39680 404423 37 API calls 39679->39680 39681 40bd10 39680->39681 39681->39668 39682 40bd3a LocalFree 39681->39682 39683 40bd1f memcpy 39681->39683 39682->39668 39683->39682 39684->38848 39686 409a74 GetTempFileNameW 39685->39686 39687 409a66 GetWindowsDirectoryW 39685->39687 39686->38847 39687->39686 39688->38885 39689->38885 39690->38885 39691->38885 39692->38885 39693->38885 39694->38885 39695->38885 39696->38885 39697->38860 39698->38882 39731 4096c3 CreateFileW 39699->39731 39701 40cc34 39702 40cc3d GetFileSize 39701->39702 39710 40bbca 39701->39710 39703 40afcf 2 API calls 39702->39703 39704 40cc64 39703->39704 39732 40a2ef ReadFile 39704->39732 39706 40cc71 39733 40ab4a MultiByteToWideChar 39706->39733 39708 40cc95 FindCloseChangeNotification 39709 40b04b ??3@YAXPAX 39708->39709 39709->39710 39710->39655 39711 40cf04 39710->39711 39712 40b633 ??3@YAXPAX 39711->39712 39713 40cf14 39712->39713 39739 40b1ab ??3@YAXPAX ??3@YAXPAX 39713->39739 39715 40bbdd 39715->39655 39715->39660 39716 40cf1b 39716->39715 39718 40cfef 39716->39718 39740 40cd4b 39716->39740 39719 40cd4b 14 API calls 39718->39719 39719->39715 39721 40b633 ??3@YAXPAX 39720->39721 39722 40cc15 39721->39722 39723 40aa04 ??3@YAXPAX 39722->39723 39724 40cc1d 39723->39724 39789 40b1ab ??3@YAXPAX ??3@YAXPAX 39724->39789 39726 40b7d4 memset CreateFileW 39726->38840 39726->38841 39727->39663 39728->39665 39729->39673 39730->39676 39731->39701 39732->39706 39734 40ab93 39733->39734 39735 40ab6b 39733->39735 39734->39708 39736 40a9ce 4 API calls 39735->39736 39737 40ab74 39736->39737 39738 40ab7c MultiByteToWideChar 39737->39738 39738->39734 39739->39716 39741 40cd7b 39740->39741 39774 40aa29 39741->39774 39743 40cef5 39744 40aa04 ??3@YAXPAX 39743->39744 39745 40cefd 39744->39745 39745->39716 39747 40aa29 6 API calls 39748 40ce1d 39747->39748 39749 40aa29 6 API calls 39748->39749 39750 40ce3e 39749->39750 39751 40ce6a 39750->39751 39782 40abb7 wcslen memmove 39750->39782 39752 40ce9f 39751->39752 39785 40abb7 wcslen memmove 39751->39785 39754 40a8d0 7 API calls 39752->39754 39757 40ceb5 39754->39757 39755 40ce56 39783 40aa71 wcslen 39755->39783 39764 40a8d0 7 API calls 39757->39764 39759 40ce8b 39786 40aa71 wcslen 39759->39786 39761 40ce5e 39784 40abb7 wcslen memmove 39761->39784 39762 40ce93 39787 40abb7 wcslen memmove 39762->39787 39766 40cecb 39764->39766 39788 40d00b malloc memcpy ??3@YAXPAX ??3@YAXPAX 39766->39788 39768 40cedd 39769 40aa04 ??3@YAXPAX 39768->39769 39770 40cee5 39769->39770 39771 40aa04 ??3@YAXPAX 39770->39771 39772 40ceed 39771->39772 39773 40aa04 ??3@YAXPAX 39772->39773 39773->39743 39775 40aa33 39774->39775 39776 40aa63 39774->39776 39777 40aa44 39775->39777 39778 40aa38 wcslen 39775->39778 39776->39743 39776->39747 39779 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 39777->39779 39778->39777 39780 40aa4d 39779->39780 39780->39776 39781 40aa51 memcpy 39780->39781 39781->39776 39782->39755 39783->39761 39784->39751 39785->39759 39786->39762 39787->39752 39788->39768 39789->39726 39790->38900 39791->38908 39801 44def7 39802 44df07 39801->39802 39803 44df00 ??3@YAXPAX 39801->39803 39804 44df17 39802->39804 39805 44df10 ??3@YAXPAX 39802->39805 39803->39802 39806 44df27 39804->39806 39807 44df20 ??3@YAXPAX 39804->39807 39805->39804 39808 44df37 39806->39808 39809 44df30 ??3@YAXPAX 39806->39809 39807->39806 39809->39808 37667 44dea5 37668 44deb5 FreeLibrary 37667->37668 37669 44dec3 37667->37669 37668->37669 39810 4148b6 FindResourceW 39811 4148cf SizeofResource 39810->39811 39814 4148f9 39810->39814 39812 4148e0 LoadResource 39811->39812 39811->39814 39813 4148ee LockResource 39812->39813 39812->39814 39813->39814 39815 44197d 147 API calls 37848 415304 ??3@YAXPAX 37670 415320 realloc 37671 415340 37670->37671 37672 41534d 37670->37672 37674 416760 11 API calls 37672->37674 37674->37671 39816 441b3f 39826 43a9f6 39816->39826 39818 441b61 39999 4386af memset 39818->39999 39820 44189a 39821 4418e2 39820->39821 39825 442bd4 39820->39825 39822 4418ea 39821->39822 40000 4414a9 12 API calls 39821->40000 39825->39822 40001 441409 memset 39825->40001 39827 43aa20 39826->39827 39828 43aadf 39826->39828 39827->39828 39829 43aa34 memset 39827->39829 39828->39818 39830 43aa56 39829->39830 39831 43aa4d 39829->39831 40002 43a6e7 39830->40002 40010 42c02e memset 39831->40010 39836 43aad3 40012 4169a7 11 API calls 39836->40012 39837 43aaae 39837->39828 39837->39836 39852 43aae5 39837->39852 39838 43ac18 39841 43ac47 39838->39841 40014 42bbd5 memcpy memcpy memcpy memset memcpy 39838->40014 39842 43aca8 39841->39842 40015 438eed 16 API calls 39841->40015 39846 43acd5 39842->39846 40017 4233ae 11 API calls 39842->40017 39845 43ac87 40016 4233c5 16 API calls 39845->40016 40018 423426 11 API calls 39846->40018 39850 43ace1 40019 439811 163 API calls 39850->40019 39851 43a9f6 161 API calls 39851->39852 39852->39828 39852->39838 39852->39851 40013 439bbb 22 API calls 39852->40013 39854 43acfd 39859 43ad2c 39854->39859 40020 438eed 16 API calls 39854->40020 39856 43ad19 40021 4233c5 16 API calls 39856->40021 39858 43ad58 40022 44081d 163 API calls 39858->40022 39859->39858 39862 43add9 39859->39862 40026 423426 11 API calls 39862->40026 39863 43ae3a memset 39864 43ae73 39863->39864 40027 42e1c0 147 API calls 39864->40027 39865 43adab 40024 438c4e 163 API calls 39865->40024 39866 43ad6c 39866->39828 39866->39865 40023 42370b memset memcpy memset 39866->40023 39870 43adcc 40025 440f84 12 API calls 39870->40025 39871 43ae96 40028 42e1c0 147 API calls 39871->40028 39874 43aea8 39875 43aec1 39874->39875 40029 42e199 147 API calls 39874->40029 39876 43af00 39875->39876 40030 42e1c0 147 API calls 39875->40030 39876->39828 39880 43af1a 39876->39880 39881 43b3d9 39876->39881 40031 438eed 16 API calls 39880->40031 39886 43b3f6 39881->39886 39890 43b4c8 39881->39890 39882 43b60f 39882->39828 40090 4393a5 17 API calls 39882->40090 39885 43af2f 40032 4233c5 16 API calls 39885->40032 40072 432878 12 API calls 39886->40072 39888 43af51 40033 423426 11 API calls 39888->40033 39896 43b4f2 39890->39896 40078 42bbd5 memcpy memcpy memcpy memset memcpy 39890->40078 39892 43af7d 40034 423426 11 API calls 39892->40034 40079 43a76c 21 API calls 39896->40079 39897 43b529 40080 44081d 163 API calls 39897->40080 39898 43b462 40074 423330 11 API calls 39898->40074 39899 43af94 40035 423330 11 API calls 39899->40035 39903 43afca 40036 423330 11 API calls 39903->40036 39904 43b47e 39908 43b497 39904->39908 40075 42374a memcpy memset memcpy memcpy memcpy 39904->40075 39905 43b544 39909 43b55c 39905->39909 40081 42c02e memset 39905->40081 39906 43b428 39906->39898 40073 432b60 16 API calls 39906->40073 40076 4233ae 11 API calls 39908->40076 40082 43a87a 163 API calls 39909->40082 39911 43afdb 40037 4233ae 11 API calls 39911->40037 39916 43b56c 39920 43b58a 39916->39920 40083 423330 11 API calls 39916->40083 39917 43b4b1 40077 423399 11 API calls 39917->40077 39919 43afee 40038 44081d 163 API calls 39919->40038 40084 440f84 12 API calls 39920->40084 39921 43b4c1 40086 42db80 163 API calls 39921->40086 39926 43b592 40085 43a82f 16 API calls 39926->40085 39929 43b5b4 40087 438c4e 163 API calls 39929->40087 39931 43b5cf 40088 42c02e memset 39931->40088 39933 43b005 39933->39828 39937 43b01f 39933->39937 40039 42d836 163 API calls 39933->40039 39934 43b1ef 40049 4233c5 16 API calls 39934->40049 39937->39934 40047 423330 11 API calls 39937->40047 40048 42d71d 163 API calls 39937->40048 39938 43b212 40050 423330 11 API calls 39938->40050 39940 43b087 40040 4233ae 11 API calls 39940->40040 39941 43add4 39941->39882 40089 438f86 16 API calls 39941->40089 39944 43b22a 40051 42ccb5 11 API calls 39944->40051 39947 43b23f 40052 4233ae 11 API calls 39947->40052 39948 43b10f 40043 423330 11 API calls 39948->40043 39950 43b257 40053 4233ae 11 API calls 39950->40053 39954 43b129 40044 4233ae 11 API calls 39954->40044 39955 43b26e 40054 4233ae 11 API calls 39955->40054 39958 43b09a 39958->39948 40041 42cc15 19 API calls 39958->40041 40042 4233ae 11 API calls 39958->40042 39959 43b282 40055 43a87a 163 API calls 39959->40055 39961 43b13c 40045 440f84 12 API calls 39961->40045 39963 43b29d 40056 423330 11 API calls 39963->40056 39966 43b15f 40046 4233ae 11 API calls 39966->40046 39967 43b2af 39968 43b2b8 39967->39968 39969 43b2ce 39967->39969 40057 4233ae 11 API calls 39968->40057 40058 440f84 12 API calls 39969->40058 39973 43b2c9 40060 4233ae 11 API calls 39973->40060 39974 43b2da 40059 42370b memset memcpy memset 39974->40059 39977 43b2f9 40061 423330 11 API calls 39977->40061 39979 43b30b 40062 423330 11 API calls 39979->40062 39981 43b325 40063 423399 11 API calls 39981->40063 39983 43b332 40064 4233ae 11 API calls 39983->40064 39985 43b354 40065 423399 11 API calls 39985->40065 39987 43b364 40066 43a82f 16 API calls 39987->40066 39989 43b370 40067 42db80 163 API calls 39989->40067 39991 43b380 40068 438c4e 163 API calls 39991->40068 39993 43b39e 40069 423399 11 API calls 39993->40069 39995 43b3ae 40070 43a76c 21 API calls 39995->40070 39997 43b3c3 40071 423399 11 API calls 39997->40071 39999->39820 40000->39822 40001->39825 40003 43a6f5 40002->40003 40004 43a765 40002->40004 40003->40004 40091 42a115 40003->40091 40004->39828 40011 4397fd memset 40004->40011 40008 43a73d 40008->40004 40009 42a115 147 API calls 40008->40009 40009->40004 40010->39830 40011->39837 40012->39828 40013->39852 40014->39841 40015->39845 40016->39842 40017->39846 40018->39850 40019->39854 40020->39856 40021->39859 40022->39866 40023->39865 40024->39870 40025->39941 40026->39863 40027->39871 40028->39874 40029->39875 40030->39875 40031->39885 40032->39888 40033->39892 40034->39899 40035->39903 40036->39911 40037->39919 40038->39933 40039->39940 40040->39958 40041->39958 40042->39958 40043->39954 40044->39961 40045->39966 40046->39937 40047->39937 40048->39937 40049->39938 40050->39944 40051->39947 40052->39950 40053->39955 40054->39959 40055->39963 40056->39967 40057->39973 40058->39974 40059->39973 40060->39977 40061->39979 40062->39981 40063->39983 40064->39985 40065->39987 40066->39989 40067->39991 40068->39993 40069->39995 40070->39997 40071->39941 40072->39906 40073->39898 40074->39904 40075->39908 40076->39917 40077->39921 40078->39896 40079->39897 40080->39905 40081->39909 40082->39916 40083->39920 40084->39926 40085->39921 40086->39929 40087->39931 40088->39941 40089->39882 40090->39828 40092 42a175 40091->40092 40094 42a122 40091->40094 40092->40004 40097 42b13b 147 API calls 40092->40097 40094->40092 40095 42a115 147 API calls 40094->40095 40098 43a174 40094->40098 40122 42a0a8 147 API calls 40094->40122 40095->40094 40097->40008 40112 43a196 40098->40112 40113 43a19e 40098->40113 40099 43a306 40099->40112 40142 4388c4 14 API calls 40099->40142 40102 42a115 147 API calls 40102->40113 40104 43a642 40104->40112 40146 4169a7 11 API calls 40104->40146 40108 43a635 40145 42c02e memset 40108->40145 40112->40094 40113->40099 40113->40102 40113->40112 40123 42ff8c 40113->40123 40131 415a91 40113->40131 40135 4165ff 40113->40135 40138 439504 13 API calls 40113->40138 40139 4312d0 147 API calls 40113->40139 40140 42be4c memcpy memcpy memcpy memset memcpy 40113->40140 40141 43a121 11 API calls 40113->40141 40115 4169a7 11 API calls 40116 43a325 40115->40116 40116->40104 40116->40108 40116->40112 40116->40115 40117 42b5b5 memset memcpy 40116->40117 40118 42bf4c 14 API calls 40116->40118 40121 4165ff 11 API calls 40116->40121 40143 42b63e 14 API calls 40116->40143 40144 42bfcf memcpy 40116->40144 40117->40116 40118->40116 40121->40116 40122->40094 40147 43817e 40123->40147 40125 42ff99 40126 42ffe3 40125->40126 40127 42ffd0 40125->40127 40130 42ff9d 40125->40130 40152 4169a7 11 API calls 40126->40152 40151 4169a7 11 API calls 40127->40151 40130->40113 40132 415a9d 40131->40132 40133 415ab3 40132->40133 40134 415aa4 memset 40132->40134 40133->40113 40134->40133 40301 4165a0 40135->40301 40138->40113 40139->40113 40140->40113 40141->40113 40142->40116 40143->40116 40144->40116 40145->40104 40146->40112 40148 438187 40147->40148 40150 438192 40147->40150 40153 4380f6 40148->40153 40150->40125 40151->40130 40152->40130 40155 43811f 40153->40155 40154 438164 40154->40150 40155->40154 40158 437e5e 40155->40158 40181 4300e8 memset memset memcpy 40155->40181 40182 437d3c 40158->40182 40160 437eb3 40160->40155 40161 437ea9 40161->40160 40166 437f22 40161->40166 40197 41f432 40161->40197 40164 437f06 40244 415c56 11 API calls 40164->40244 40168 437f7f 40166->40168 40169 432d4e 3 API calls 40166->40169 40167 437f95 40245 415c56 11 API calls 40167->40245 40168->40167 40170 43802b 40168->40170 40169->40168 40172 4165ff 11 API calls 40170->40172 40173 438054 40172->40173 40208 437371 40173->40208 40176 43806b 40177 438094 40176->40177 40246 42f50e 138 API calls 40176->40246 40179 437fa3 40177->40179 40247 4300e8 memset memset memcpy 40177->40247 40179->40160 40248 41f638 104 API calls 40179->40248 40181->40155 40183 437d69 40182->40183 40186 437d80 40182->40186 40249 437ccb 11 API calls 40183->40249 40185 437d76 40185->40161 40186->40185 40187 437da3 40186->40187 40189 437d90 40186->40189 40190 438460 134 API calls 40187->40190 40189->40185 40253 437ccb 11 API calls 40189->40253 40193 437dcb 40190->40193 40191 437de8 40252 424f26 123 API calls 40191->40252 40193->40191 40250 444283 13 API calls 40193->40250 40195 437dfc 40251 437ccb 11 API calls 40195->40251 40198 41f54d 40197->40198 40204 41f44f 40197->40204 40199 41f466 40198->40199 40283 41c635 memset memset 40198->40283 40199->40164 40199->40166 40204->40199 40206 41f50b 40204->40206 40254 41f1a5 40204->40254 40279 41c06f memcmp 40204->40279 40280 41f3b1 90 API calls 40204->40280 40281 41f398 86 API calls 40204->40281 40206->40198 40206->40199 40282 41c295 86 API calls 40206->40282 40284 41703f 40208->40284 40210 437399 40211 43739d 40210->40211 40213 4373ac 40210->40213 40291 4446ea 11 API calls 40211->40291 40214 416935 16 API calls 40213->40214 40215 4373ca 40214->40215 40216 438460 134 API calls 40215->40216 40221 4251c4 137 API calls 40215->40221 40225 415a91 memset 40215->40225 40228 43758f 40215->40228 40240 437584 40215->40240 40243 437d3c 135 API calls 40215->40243 40292 425433 13 API calls 40215->40292 40293 425413 17 API calls 40215->40293 40294 42533e 16 API calls 40215->40294 40295 42538f 16 API calls 40215->40295 40296 42453e 123 API calls 40215->40296 40216->40215 40217 4375bc 40219 415c7d 16 API calls 40217->40219 40220 4375d2 40219->40220 40222 4442e6 11 API calls 40220->40222 40242 4373a7 40220->40242 40221->40215 40223 4375e2 40222->40223 40223->40242 40299 444283 13 API calls 40223->40299 40225->40215 40297 42453e 123 API calls 40228->40297 40231 4375f4 40234 437620 40231->40234 40235 43760b 40231->40235 40233 43759f 40236 416935 16 API calls 40233->40236 40238 416935 16 API calls 40234->40238 40300 444283 13 API calls 40235->40300 40236->40240 40238->40242 40240->40217 40298 42453e 123 API calls 40240->40298 40241 437612 memcpy 40241->40242 40242->40176 40243->40215 40244->40160 40245->40179 40246->40177 40247->40179 40248->40160 40249->40185 40250->40195 40251->40191 40252->40185 40253->40185 40255 41bc3b 101 API calls 40254->40255 40256 41f1b4 40255->40256 40257 41edad 86 API calls 40256->40257 40264 41f282 40256->40264 40258 41f1cb 40257->40258 40259 41f1f5 memcmp 40258->40259 40260 41f20e 40258->40260 40258->40264 40259->40260 40261 41f21b memcmp 40260->40261 40260->40264 40262 41f326 40261->40262 40265 41f23d 40261->40265 40263 41ee6b 86 API calls 40262->40263 40262->40264 40263->40264 40264->40204 40265->40262 40266 41f28e memcmp 40265->40266 40268 41c8df 56 API calls 40265->40268 40266->40262 40267 41f2a9 40266->40267 40267->40262 40270 41f308 40267->40270 40271 41f2d8 40267->40271 40269 41f269 40268->40269 40269->40262 40272 41f287 40269->40272 40273 41f27a 40269->40273 40270->40262 40277 4446ce 11 API calls 40270->40277 40274 41ee6b 86 API calls 40271->40274 40272->40266 40275 41ee6b 86 API calls 40273->40275 40276 41f2e0 40274->40276 40275->40264 40278 41b1ca memset 40276->40278 40277->40262 40278->40264 40279->40204 40280->40204 40281->40204 40282->40198 40283->40199 40285 417044 40284->40285 40286 41705c 40284->40286 40288 416760 11 API calls 40285->40288 40290 417055 40285->40290 40287 417075 40286->40287 40289 41707a 11 API calls 40286->40289 40287->40210 40288->40290 40289->40285 40290->40210 40291->40242 40292->40215 40293->40215 40294->40215 40295->40215 40296->40215 40297->40233 40298->40217 40299->40231 40300->40241 40306 415cfe 40301->40306 40310 415d23 __aullrem __aulldvrm 40306->40310 40313 41628e 40306->40313 40307 4163ca 40320 416422 11 API calls 40307->40320 40309 416172 memset 40309->40310 40310->40307 40310->40309 40311 416422 10 API calls 40310->40311 40312 415cb9 10 API calls 40310->40312 40310->40313 40311->40310 40312->40310 40314 416520 40313->40314 40315 416527 40314->40315 40319 416574 40314->40319 40316 416544 40315->40316 40315->40319 40321 4156aa 11 API calls 40315->40321 40318 416561 memcpy 40316->40318 40316->40319 40318->40319 40319->40113 40320->40313 40321->40316 40353 41493c EnumResourceNamesW 37676 4287c1 37677 4287d2 37676->37677 37678 429ac1 37676->37678 37679 428818 37677->37679 37680 42881f 37677->37680 37695 425711 37677->37695 37690 425ad6 37678->37690 37746 415c56 11 API calls 37678->37746 37713 42013a 37679->37713 37741 420244 97 API calls 37680->37741 37685 4260dd 37740 424251 120 API calls 37685->37740 37687 4259da 37739 416760 11 API calls 37687->37739 37693 422aeb memset memcpy memcpy 37693->37695 37694 429a4d 37696 429a66 37694->37696 37700 429a9b 37694->37700 37695->37678 37695->37687 37695->37693 37695->37694 37698 4260a1 37695->37698 37709 4259c2 37695->37709 37712 425a38 37695->37712 37729 4227f0 memset memcpy 37695->37729 37730 422b84 15 API calls 37695->37730 37731 422b5d memset memcpy memcpy 37695->37731 37732 422640 13 API calls 37695->37732 37734 4241fc 11 API calls 37695->37734 37735 42413a 90 API calls 37695->37735 37742 415c56 11 API calls 37696->37742 37738 415c56 11 API calls 37698->37738 37701 429a96 37700->37701 37744 416760 11 API calls 37700->37744 37745 424251 120 API calls 37701->37745 37704 429a7a 37743 416760 11 API calls 37704->37743 37709->37690 37733 415c56 11 API calls 37709->37733 37712->37709 37736 422640 13 API calls 37712->37736 37737 4226e0 12 API calls 37712->37737 37714 42014c 37713->37714 37717 420151 37713->37717 37756 41e466 97 API calls 37714->37756 37716 420162 37716->37695 37717->37716 37718 4201b3 37717->37718 37719 420229 37717->37719 37720 4201b8 37718->37720 37721 4201dc 37718->37721 37719->37716 37722 41fd5e 86 API calls 37719->37722 37747 41fbdb 37720->37747 37721->37716 37725 4201ff 37721->37725 37753 41fc4c 37721->37753 37722->37716 37725->37716 37728 42013a 97 API calls 37725->37728 37728->37716 37729->37695 37730->37695 37731->37695 37732->37695 37733->37687 37734->37695 37735->37695 37736->37712 37737->37712 37738->37687 37739->37685 37740->37690 37741->37695 37742->37704 37743->37701 37744->37701 37745->37678 37746->37687 37748 41fbf1 37747->37748 37749 41fbf8 37747->37749 37752 41fc39 37748->37752 37771 4446ce 11 API calls 37748->37771 37761 41ee26 37749->37761 37752->37716 37757 41fd5e 37752->37757 37754 41ee6b 86 API calls 37753->37754 37755 41fc5d 37754->37755 37755->37721 37756->37717 37759 41fd65 37757->37759 37758 41fdab 37758->37716 37759->37758 37760 41fbdb 86 API calls 37759->37760 37760->37759 37762 41ee41 37761->37762 37763 41ee32 37761->37763 37772 41edad 37762->37772 37775 4446ce 11 API calls 37763->37775 37766 41ee3c 37766->37748 37769 41ee58 37769->37766 37777 41ee6b 37769->37777 37771->37752 37781 41be52 37772->37781 37775->37766 37776 41eb85 11 API calls 37776->37769 37778 41ee70 37777->37778 37779 41ee78 37777->37779 37834 41bf99 86 API calls 37778->37834 37779->37766 37782 41be6f 37781->37782 37783 41be5f 37781->37783 37789 41be8c 37782->37789 37813 418c63 memset memset 37782->37813 37812 4446ce 11 API calls 37783->37812 37786 41be69 37786->37766 37786->37776 37787 41bee7 37787->37786 37817 41a453 86 API calls 37787->37817 37789->37786 37789->37787 37790 41bf3a 37789->37790 37791 41bed1 37789->37791 37816 4446ce 11 API calls 37790->37816 37793 41bef0 37791->37793 37796 41bee2 37791->37796 37793->37787 37795 41bf01 37793->37795 37794 41bf24 memset 37794->37786 37795->37794 37797 41bf14 37795->37797 37814 418a6d memset memcpy memset 37795->37814 37802 41ac13 37796->37802 37815 41a223 memset memcpy memset 37797->37815 37801 41bf20 37801->37794 37803 41ac3f memset 37802->37803 37805 41ac52 37802->37805 37804 41acd9 37803->37804 37804->37787 37807 41ac6a 37805->37807 37818 41dc14 19 API calls 37805->37818 37809 41aca1 37807->37809 37819 41519d 37807->37819 37809->37804 37810 41acc0 memset 37809->37810 37811 41accd memcpy 37809->37811 37810->37804 37811->37804 37812->37786 37813->37789 37814->37797 37815->37801 37816->37787 37818->37807 37822 4175ed 37819->37822 37830 417570 SetFilePointer 37822->37830 37825 41760a ReadFile 37826 417637 37825->37826 37827 417627 GetLastError 37825->37827 37828 4151b3 37826->37828 37829 41763e memset 37826->37829 37827->37828 37828->37809 37829->37828 37831 4175b2 37830->37831 37832 41759c GetLastError 37830->37832 37831->37825 37831->37828 37832->37831 37833 4175a8 GetLastError 37832->37833 37833->37831 37834->37779 37835 417bc5 37836 417c61 37835->37836 37841 417bda 37835->37841 37837 417bf6 UnmapViewOfFile CloseHandle 37837->37837 37837->37841 37839 417c2c 37839->37841 37847 41851e 20 API calls 37839->37847 37841->37836 37841->37837 37841->37839 37842 4175b7 37841->37842 37843 4175d6 FindCloseChangeNotification 37842->37843 37844 4175c8 37843->37844 37845 4175df 37843->37845 37844->37845 37846 4175ce Sleep 37844->37846 37845->37841 37846->37843 37847->37839 39792 4147f3 39795 414561 39792->39795 39794 414813 39796 41456d 39795->39796 39797 41457f GetPrivateProfileIntW 39795->39797 39800 4143f1 memset _itow WritePrivateProfileStringW 39796->39800 39797->39794 39799 41457a 39799->39794 39800->39799

                                      Executed Functions

                                      Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 FindCloseChangeNotification GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 354 40de5a 351->354 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 356 40de5d-40de63 354->356 358 40de74-40de78 356->358 359 40de65-40de6c 356->359 358->352 358->356 359->358 361 40de6e-40de71 359->361 361->358 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 381 40df23-40df4a GetCurrentProcess DuplicateHandle 379->381 380->378 382 40dfd1-40dfd3 380->382 381->380 383 40df4c-40df76 memset call 41352f 381->383 382->377 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                      APIs
                                      • memset.MSVCRT ref: 0040DDAD
                                        • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                      • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                        • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                      • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                      • FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                      • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                      • _wcsicmp.MSVCRT ref: 0040DEB2
                                      • _wcsicmp.MSVCRT ref: 0040DEC5
                                      • _wcsicmp.MSVCRT ref: 0040DED8
                                      • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                      • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                      • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                      • memset.MSVCRT ref: 0040DF5F
                                      • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                      • _wcsicmp.MSVCRT ref: 0040DFB2
                                      • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: AddressProc$Handle_wcsicmp$CloseProcess$CurrentFileModulememset$??2@ChangeCreateDuplicateFindInformationNameNotificationOpenQuerySystem
                                      • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                      • API String ID: 594330280-3398334509
                                      • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                      • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                      • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                      • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                      Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 577 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 580 413f00-413f11 Process32NextW 577->580 581 413da5-413ded OpenProcess 580->581 582 413f17-413f24 FindCloseChangeNotification 580->582 583 413eb0-413eb5 581->583 584 413df3-413e26 memset call 413f27 581->584 583->580 585 413eb7-413ebd 583->585 592 413e79-413e9d call 413959 call 413ca4 584->592 593 413e28-413e35 584->593 587 413ec8-413eda call 4099f4 585->587 588 413ebf-413ec6 ??3@YAXPAX@Z 585->588 590 413edb-413ee2 587->590 588->590 598 413ee4 590->598 599 413ee7-413efe 590->599 604 413ea2-413eae CloseHandle 592->604 596 413e61-413e68 593->596 597 413e37-413e44 GetModuleHandleW 593->597 596->592 600 413e6a-413e76 596->600 597->596 602 413e46-413e5c GetProcAddress 597->602 598->599 599->580 600->592 602->596 604->583
                                      APIs
                                        • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413D6A
                                      • memset.MSVCRT ref: 00413D7F
                                      • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                      • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                      • memset.MSVCRT ref: 00413E07
                                      • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                      • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                      • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                      • ??3@YAXPAX@Z.MSVCRT ref: 00413EC1
                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                      • FindCloseChangeNotification.KERNELBASE(00000000,00000000,0000022C), ref: 00413F1A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ??3@CloseHandleProcess32memset$AddressChangeCreateFindFirstModuleNextNotificationOpenProcProcessSnapshotToolhelp32
                                      • String ID: QueryFullProcessImageNameW$kernel32.dll
                                      • API String ID: 2191996607-1740548384
                                      • Opcode ID: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                      • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                      • Opcode Fuzzy Hash: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                      • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                      Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                      • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                      • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                      • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                      • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                      • memcpy.MSVCRT ref: 0040B60D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                      • String ID: BIN
                                      • API String ID: 1668488027-1015027815
                                      • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                      • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                      • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                      • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                      Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                        • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                        • Part of subcall function 00418680: ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                                        • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                      • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                      • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                      • ??3@YAXPAX@Z.MSVCRT ref: 00418803
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ??3@DiskFreeSpace$FullNamePathVersionmalloc
                                      • String ID:
                                      • API String ID: 2947809556-0
                                      • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                      • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                      • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                      • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                      Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                      • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: FileFind$FirstNext
                                      • String ID:
                                      • API String ID: 1690352074-0
                                      • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                      • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                      • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                      • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                      Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0041898C
                                      • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: InfoSystemmemset
                                      • String ID:
                                      • API String ID: 3558857096-0
                                      • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                      • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                      • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                      • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                      Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 38 44558e-445594 call 444b06 4->38 39 44557e-44558c call 4136c0 call 41366b 4->39 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 42 445823-445826 14->42 15->16 22 445672-445683 call 40a889 call 403fbe 16->22 23 4455fb-445601 16->23 49 445879-44587c 18->49 24 44594f-445958 19->24 25 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->25 82 445685 22->82 83 4456b2-4456b5 call 40b1ab 22->83 34 445605-445607 23->34 35 445603 23->35 32 4459f2-4459fa 24->32 33 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 24->33 134 44592d-445945 call 40b6ef 25->134 135 44594a 25->135 44 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 32->44 45 445b29-445b32 32->45 153 4459d0-4459e8 call 40b6ef 33->153 154 4459ed 33->154 34->22 41 445609-44560d 34->41 35->34 38->3 39->38 41->22 50 44560f-445641 call 4087b3 call 40a889 call 4454bf 41->50 51 44584c-445854 call 40b1ab 42->51 52 445828 42->52 182 445b08-445b15 call 40ae51 44->182 53 445c7c-445c85 45->53 54 445b38-445b96 memset * 3 45->54 63 4458a2-4458aa call 40b1ab 49->63 64 44587e 49->64 150 445665-445670 call 40b1ab 50->150 151 445643-445663 call 40a9b5 call 4087b3 50->151 51->13 66 44582e-445847 call 40a9b5 call 4087b3 52->66 60 445d1c-445d25 53->60 61 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->61 67 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->67 68 445b98-445ba0 54->68 87 445fae-445fb2 60->87 88 445d2b-445d3b 60->88 168 445cf5 61->168 169 445cfc-445d03 61->169 63->19 80 445884-44589d call 40a9b5 call 4087b3 64->80 137 445849 66->137 247 445c77 67->247 68->67 81 445ba2-445bcf call 4099c6 call 445403 call 445389 68->81 156 44589f 80->156 81->53 99 44568b-4456a4 call 40a9b5 call 4087b3 82->99 115 4456ba-4456c4 83->115 89 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 88->89 90 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 88->90 162 445d67-445d6c 89->162 163 445d71-445d83 call 445093 89->163 196 445e17 90->196 197 445e1e-445e25 90->197 158 4456a9-4456b0 99->158 129 4457f9 115->129 130 4456ca-4456d3 call 413cfa call 413d4c 115->130 129->6 172 4456d8-4456f7 call 40b2cc call 413fa6 130->172 134->135 135->24 137->51 150->115 151->150 153->154 154->32 156->63 158->83 158->99 174 445fa1-445fa9 call 40b6ef 162->174 163->87 168->169 179 445d05-445d13 169->179 180 445d17 169->180 205 4456fd-445796 memset * 4 call 409c70 * 3 172->205 206 4457ea-4457f7 call 413d29 172->206 174->87 179->180 180->60 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->45 201->182 219 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->219 242 445e62-445e69 202->242 243 445e5b 202->243 218 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->218 205->206 246 445798-4457ca call 40b2cc call 409d1f call 409b98 205->246 206->10 218->87 255 445f9b 218->255 219->182 242->203 248 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 242->248 243->242 246->206 265 4457cc-4457e5 call 4087b3 246->265 247->53 264 445f4d-445f5a call 40ae51 248->264 255->174 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->206 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->218 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                      APIs
                                      • memset.MSVCRT ref: 004455C2
                                      • wcsrchr.MSVCRT ref: 004455DA
                                      • memset.MSVCRT ref: 0044570D
                                      • memset.MSVCRT ref: 00445725
                                        • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                        • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                        • Part of subcall function 0040BDB0: CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                        • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                        • Part of subcall function 0040BDB0: _wcsncoll.MSVCRT ref: 0040BE38
                                        • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                        • Part of subcall function 0040BDB0: memcpy.MSVCRT ref: 0040BEB2
                                        • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                      • memset.MSVCRT ref: 0044573D
                                      • memset.MSVCRT ref: 00445755
                                      • memset.MSVCRT ref: 004458CB
                                      • memset.MSVCRT ref: 004458E3
                                      • memset.MSVCRT ref: 0044596E
                                      • memset.MSVCRT ref: 00445A10
                                      • memset.MSVCRT ref: 00445A28
                                      • memset.MSVCRT ref: 00445AC6
                                        • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                        • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                        • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                        • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                                        • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                      • memset.MSVCRT ref: 00445B52
                                      • memset.MSVCRT ref: 00445B6A
                                      • memset.MSVCRT ref: 00445C9B
                                      • memset.MSVCRT ref: 00445CB3
                                      • _wcsicmp.MSVCRT ref: 00445D56
                                      • memset.MSVCRT ref: 00445B82
                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                        • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                        • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                        • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                        • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                      • memset.MSVCRT ref: 00445986
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwr_wcsncollmemcpywcscatwcscpy
                                      • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                      • API String ID: 2745753283-3798722523
                                      • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                      • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                      • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                      • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                      Function 0041276D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 149COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                        • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                        • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                        • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                      • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                                      • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                      • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                      • String ID: $/deleteregkey$/savelangfile
                                      • API String ID: 2744995895-28296030
                                      • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                      • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                      • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                      • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                      Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • memset.MSVCRT ref: 0040B71C
                                        • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                        • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                      • wcsrchr.MSVCRT ref: 0040B738
                                      • memset.MSVCRT ref: 0040B756
                                      • memset.MSVCRT ref: 0040B7F5
                                      • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                      • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                                      • FindCloseChangeNotification.KERNELBASE(00000000,?,?), ref: 0040B838
                                      • memset.MSVCRT ref: 0040B851
                                      • memset.MSVCRT ref: 0040B8CA
                                      • memcmp.MSVCRT ref: 0040B9BF
                                        • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                        • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                      • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                      • memset.MSVCRT ref: 0040BB53
                                      • memcpy.MSVCRT ref: 0040BB66
                                      • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memset$File$Freewcsrchr$AddressChangeCloseCopyCreateDeleteFindLibraryLocalNotificationProcmemcmpmemcpywcscpy
                                      • String ID: chp$v10
                                      • API String ID: 170802307-2783969131
                                      • Opcode ID: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                      • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                      • Opcode Fuzzy Hash: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                      • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                      Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 504 4091b8-40921b memset call 40a6e6 call 444432 509 409520-409526 504->509 510 409221-40923b call 40b273 call 438552 504->510 514 409240-409248 510->514 515 409383-4093ab call 40b273 call 438552 514->515 516 40924e-409258 call 4251c4 514->516 528 4093b1 515->528 529 4094ff-40950b call 443d90 515->529 521 40937b-40937e call 424f26 516->521 522 40925e-409291 call 4253cf * 2 call 4253af * 2 516->522 521->515 522->521 552 409297-409299 522->552 532 4093d3-4093dd call 4251c4 528->532 529->509 538 40950d-409511 529->538 539 4093b3-4093cc call 4253cf * 2 532->539 540 4093df 532->540 538->509 542 409513-40951d call 408f2f 538->542 539->532 555 4093ce-4093d1 539->555 543 4094f7-4094fa call 424f26 540->543 542->509 543->529 552->521 554 40929f-4092a3 552->554 554->521 556 4092a9-4092ba 554->556 555->532 557 4093e4-4093fb call 4253af * 2 555->557 558 4092bc 556->558 559 4092be-4092e3 memcpy memcmp 556->559 557->543 569 409401-409403 557->569 558->559 560 409333-409345 memcmp 559->560 561 4092e5-4092ec 559->561 560->521 564 409347-40935f memcpy 560->564 561->521 563 4092f2-409331 memcpy * 2 561->563 566 409363-409378 memcpy 563->566 564->566 566->521 569->543 570 409409-40941b memcmp 569->570 570->543 571 409421-409433 memcmp 570->571 572 4094a4-4094b6 memcmp 571->572 573 409435-40943c 571->573 572->543 575 4094b8-4094ed memcpy * 2 572->575 573->543 574 409442-4094a2 memcpy * 3 573->574 576 4094f4 574->576 575->576 576->543
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                      • String ID:
                                      • API String ID: 3715365532-3916222277
                                      • Opcode ID: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                      • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                      • Opcode Fuzzy Hash: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                      • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                      Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                        • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                        • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                        • Part of subcall function 0040DD85: FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                        • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                        • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                      • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                      • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                      • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                      • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                        • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                        • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                        • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                        • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                      • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                      • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                      • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                      • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                      • FindCloseChangeNotification.KERNELBASE(?), ref: 0040E13E
                                      • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                      • CloseHandle.KERNEL32(?), ref: 0040E148
                                      • CloseHandle.KERNEL32(?), ref: 0040E14D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: File$Close$Handle$CreateProcess$ChangeCurrentFindNotificationTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                      • String ID: bhv
                                      • API String ID: 327780389-2689659898
                                      • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                      • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                      • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                      • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                      Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 633 413f4f-413f52 634 413fa5 633->634 635 413f54-413f5a call 40a804 633->635 637 413f5f-413fa4 GetProcAddress * 5 635->637 637->634
                                      APIs
                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                      • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                      • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                      • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                      • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                      • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                      • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                      • API String ID: 2941347001-70141382
                                      • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                      • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                      • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                      • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                      Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 638 4466f4-44670e call 446904 GetModuleHandleA 641 446710-44671b 638->641 642 44672f-446732 638->642 641->642 643 44671d-446726 641->643 644 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 642->644 646 446747-44674b 643->646 647 446728-44672d 643->647 652 4467ac-4467b7 __setusermatherr 644->652 653 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 644->653 646->642 648 44674d-44674f 646->648 647->642 650 446734-44673b 647->650 651 446755-446758 648->651 650->642 654 44673d-446745 650->654 651->644 652->653 657 446810-446819 653->657 658 44681e-446825 653->658 654->651 659 4468d8-4468dd call 44693d 657->659 660 446827-446832 658->660 661 44686c-446870 658->661 664 446834-446838 660->664 665 44683a-44683e 660->665 662 446845-44684b 661->662 663 446872-446877 661->663 667 446853-446864 GetStartupInfoW 662->667 668 44684d-446851 662->668 663->661 664->660 664->665 665->662 669 446840-446842 665->669 671 446866-44686a 667->671 672 446879-44687b 667->672 668->667 668->669 669->662 673 44687c-446894 GetModuleHandleA call 41276d 671->673 672->673 676 446896-446897 exit 673->676 677 44689d-4468d6 _cexit 673->677 676->677 677->659
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                      • String ID:
                                      • API String ID: 2827331108-0
                                      • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                      • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                      • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                      • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                      Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • memset.MSVCRT ref: 0040C298
                                        • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                        • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                      • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                      • wcschr.MSVCRT ref: 0040C324
                                      • wcschr.MSVCRT ref: 0040C344
                                      • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                      • GetLastError.KERNEL32 ref: 0040C373
                                      • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                      • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                                      • String ID: visited:
                                      • API String ID: 1157525455-1702587658
                                      • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                      • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                      • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                      • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                      Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 704 40e175-40e1a1 call 40695d call 406b90 709 40e1a7-40e1e5 memset 704->709 710 40e299-40e2a8 call 4069a3 704->710 712 40e1e8-40e1fa call 406e8f 709->712 716 40e270-40e27d call 406b53 712->716 717 40e1fc-40e219 call 40dd50 * 2 712->717 716->712 722 40e283-40e286 716->722 717->716 728 40e21b-40e21d 717->728 725 40e291-40e294 call 40aa04 722->725 726 40e288-40e290 ??3@YAXPAX@Z 722->726 725->710 726->725 728->716 729 40e21f-40e235 call 40742e 728->729 729->716 732 40e237-40e242 call 40aae3 729->732 732->716 735 40e244-40e26b _snwprintf call 40a8d0 732->735 735->716
                                      APIs
                                        • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                      • memset.MSVCRT ref: 0040E1BD
                                        • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                                        • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                        • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                        • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                      • _snwprintf.MSVCRT ref: 0040E257
                                        • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                        • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                        • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                        • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ??3@$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                      • String ID: $ContainerId$Container_%I64d$Containers$Name
                                      • API String ID: 3883404497-2982631422
                                      • Opcode ID: 3097c73213ec0a6a1db6d887d8be9a96c969786007a4d3e1c3bc36e7f6b4a6bd
                                      • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                      • Opcode Fuzzy Hash: 3097c73213ec0a6a1db6d887d8be9a96c969786007a4d3e1c3bc36e7f6b4a6bd
                                      • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                      Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                        • Part of subcall function 0040CC26: FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                        • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                      • memset.MSVCRT ref: 0040BC75
                                      • memset.MSVCRT ref: 0040BC8C
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                      • memcmp.MSVCRT ref: 0040BCD6
                                      • memcpy.MSVCRT ref: 0040BD2B
                                      • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memset$ByteChangeCharCloseFileFindFreeLocalMultiNotificationSizeWide_wcsicmpmemcmpmemcpy
                                      • String ID:
                                      • API String ID: 509814883-3916222277
                                      • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                      • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                      • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                      • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                      Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 789 41837f-4183bf 790 4183c1-4183cc call 418197 789->790 791 4183dc-4183ec call 418160 789->791 796 4183d2-4183d8 790->796 797 418517-41851d 790->797 798 4183f6-41840b 791->798 799 4183ee-4183f1 791->799 796->791 800 418417-418423 798->800 801 41840d-418415 798->801 799->797 802 418427-418442 call 41739b 800->802 801->802 805 418444-41845d CreateFileW 802->805 806 41845f-418475 CreateFileA 802->806 807 418477-41847c 805->807 806->807 808 4184c2-4184c7 807->808 809 41847e-418495 GetLastError ??3@YAXPAX@Z 807->809 812 4184d5-418501 memset call 418758 808->812 813 4184c9-4184d3 808->813 810 4184b5-4184c0 call 444706 809->810 811 418497-4184b3 call 41837f 809->811 810->797 811->797 819 418506-418515 ??3@YAXPAX@Z 812->819 813->812 819->797
                                      APIs
                                      • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                      • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                      • GetLastError.KERNEL32 ref: 0041847E
                                      • ??3@YAXPAX@Z.MSVCRT ref: 0041848B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: CreateFile$??3@ErrorLast
                                      • String ID: |A
                                      • API String ID: 1407640353-1717621600
                                      • Opcode ID: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                      • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                      • Opcode Fuzzy Hash: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                      • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                      Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                      • String ID: r!A
                                      • API String ID: 2791114272-628097481
                                      • Opcode ID: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                      • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                      • Opcode Fuzzy Hash: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                      • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                      Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                                        • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                                        • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                                        • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                        • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                        • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                        • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                        • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                        • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                        • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                        • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                        • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                        • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                        • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                      • _wcslwr.MSVCRT ref: 0040C817
                                        • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                        • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                      • wcslen.MSVCRT ref: 0040C82C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memset$??3@$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                      • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                      • API String ID: 62308376-4196376884
                                      • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                      • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                      • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                      • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                      Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                      • CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                      • wcslen.MSVCRT ref: 0040BE06
                                      • _wcsncoll.MSVCRT ref: 0040BE38
                                      • memset.MSVCRT ref: 0040BE91
                                      • memcpy.MSVCRT ref: 0040BEB2
                                      • _wcsnicmp.MSVCRT ref: 0040BEFC
                                      • wcschr.MSVCRT ref: 0040BF24
                                      • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: AddressProc$CredEnumerateFreeLocal_wcsncoll_wcsnicmpmemcpymemsetwcschrwcslen
                                      • String ID:
                                      • API String ID: 3191383707-0
                                      • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                      • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                      • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                      • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                      Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00403CBF
                                      • memset.MSVCRT ref: 00403CD4
                                      • memset.MSVCRT ref: 00403CE9
                                      • memset.MSVCRT ref: 00403CFE
                                      • memset.MSVCRT ref: 00403D13
                                        • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                        • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                        • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                        • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                      • memset.MSVCRT ref: 00403DDA
                                        • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                        • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                      • String ID: Waterfox$Waterfox\Profiles
                                      • API String ID: 3527940856-11920434
                                      • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                      • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                      • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                      • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                      Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00403E50
                                      • memset.MSVCRT ref: 00403E65
                                      • memset.MSVCRT ref: 00403E7A
                                      • memset.MSVCRT ref: 00403E8F
                                      • memset.MSVCRT ref: 00403EA4
                                        • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                        • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                        • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                        • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                      • memset.MSVCRT ref: 00403F6B
                                        • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                        • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                      • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                      • API String ID: 3527940856-2068335096
                                      • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                      • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                      • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                      • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                      Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00403FE1
                                      • memset.MSVCRT ref: 00403FF6
                                      • memset.MSVCRT ref: 0040400B
                                      • memset.MSVCRT ref: 00404020
                                      • memset.MSVCRT ref: 00404035
                                        • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                        • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                        • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                        • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                      • memset.MSVCRT ref: 004040FC
                                        • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                        • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                      • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                      • API String ID: 3527940856-3369679110
                                      • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                      • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                      • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                      • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                      Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcpy
                                      • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                      • API String ID: 3510742995-2641926074
                                      • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                      • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                      • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                      • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                      Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                                        • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                        • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                      • memset.MSVCRT ref: 004033B7
                                      • memcpy.MSVCRT ref: 004033D0
                                      • wcscmp.MSVCRT ref: 004033FC
                                      • _wcsicmp.MSVCRT ref: 00403439
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memset$??3@_wcsicmpmemcpywcscmpwcsrchr
                                      • String ID: $0.@
                                      • API String ID: 3030842498-1896041820
                                      • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                      • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                      • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                      • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                      Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                      • String ID:
                                      • API String ID: 2941347001-0
                                      • Opcode ID: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                      • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                      • Opcode Fuzzy Hash: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                      • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                      Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00403C09
                                      • memset.MSVCRT ref: 00403C1E
                                        • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                        • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                      • wcscat.MSVCRT ref: 00403C47
                                        • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                        • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                        • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                      • wcscat.MSVCRT ref: 00403C70
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memsetwcscat$Closewcscpywcslen
                                      • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                      • API String ID: 3249829328-1174173950
                                      • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                      • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                      • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                      • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                      Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040A824
                                      • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                      • wcscpy.MSVCRT ref: 0040A854
                                      • wcscat.MSVCRT ref: 0040A86A
                                      • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                      • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                      • String ID:
                                      • API String ID: 669240632-0
                                      • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                      • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                      • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                      • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                      Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                      Download Yara Rule
                                      APIs
                                      • wcschr.MSVCRT ref: 00414458
                                      • _snwprintf.MSVCRT ref: 0041447D
                                      • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                      • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: PrivateProfileString$Write_snwprintfwcschr
                                      • String ID: "%s"
                                      • API String ID: 1343145685-3297466227
                                      • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                      • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                      • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                      • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                      Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                      • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                      • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: AddressHandleModuleProcProcessTimes
                                      • String ID: GetProcessTimes$kernel32.dll
                                      • API String ID: 1714573020-3385500049
                                      • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                      • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                      • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                      • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                      Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 004087D6
                                        • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                        • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                      • memset.MSVCRT ref: 00408828
                                      • memset.MSVCRT ref: 00408840
                                      • memset.MSVCRT ref: 00408858
                                      • memset.MSVCRT ref: 00408870
                                      • memset.MSVCRT ref: 00408888
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                      • String ID:
                                      • API String ID: 2911713577-0
                                      • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                      • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                      • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                      • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                      Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcmp
                                      • String ID: @ $SQLite format 3
                                      • API String ID: 1475443563-3708268960
                                      • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                      • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                      • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                      • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                      Function 00414C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                      • memset.MSVCRT ref: 00414C87
                                      • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                      • wcscpy.MSVCRT ref: 00414CFC
                                        • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                      Strings
                                      • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: AddressCloseProcVersionmemsetwcscpy
                                      • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                      • API String ID: 2705122986-2036018995
                                      • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                      • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                      • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                      • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                      Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _wcsicmpqsort
                                      • String ID: /nosort$/sort
                                      • API String ID: 1579243037-1578091866
                                      • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                      • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                      • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                      • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                      Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040E60F
                                      • memset.MSVCRT ref: 0040E629
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                      Strings
                                      • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                      • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                                      • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                      • API String ID: 3354267031-2114579845
                                      • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                      • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                      • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                      • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                      Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                      Download Yara Rule
                                      APIs
                                      • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                      • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                      • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                      • LockResource.KERNEL32(00000000), ref: 004148EF
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Resource$FindLoadLockSizeof
                                      • String ID:
                                      • API String ID: 3473537107-0
                                      • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                      • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                      • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                      • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                      Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ??3@
                                      • String ID:
                                      • API String ID: 613200358-0
                                      • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                      • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                      • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                      • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                      Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memset
                                      • String ID: only a single result allowed for a SELECT that is part of an expression
                                      • API String ID: 2221118986-1725073988
                                      • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                      • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                      • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                      • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                      Function 004175B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32(00000064), ref: 004175D0
                                      • FindCloseChangeNotification.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ChangeCloseFindNotificationSleep
                                      • String ID: }A
                                      • API String ID: 1821831730-2138825249
                                      • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                      • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                      • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                      • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                      Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ??3@DeleteObject
                                      • String ID: r!A
                                      • API String ID: 1103273653-628097481
                                      • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                      • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                      • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                      • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                      Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ??2@
                                      • String ID:
                                      • API String ID: 1033339047-0
                                      • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                      • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                      • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                      • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                      Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                      • memcmp.MSVCRT ref: 00444BA5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: AddressProc$memcmp
                                      • String ID: $$8
                                      • API String ID: 2808797137-435121686
                                      • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                      • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                      • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                      • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                      Function 00430737 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 94COMMON
                                      Download Yara Rule
                                      Strings
                                      • too many columns on %s, xrefs: 00430763
                                      • duplicate column name: %s, xrefs: 004307FE
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: duplicate column name: %s$too many columns on %s
                                      • API String ID: 0-1445880494
                                      • Opcode ID: d71f1f637ec18e5f8a62c501b2db333135d8de05f3daff8c641ff98159ef3fea
                                      • Instruction ID: 332525b9e829d337f3b342900587a6bcab00951879d739311f42b30c77ca79e1
                                      • Opcode Fuzzy Hash: d71f1f637ec18e5f8a62c501b2db333135d8de05f3daff8c641ff98159ef3fea
                                      • Instruction Fuzzy Hash: 5E314735500705AFCB109F55C891ABEB7B5EF88318F24815BE8969B342C738F841CB99
                                      Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                        • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                        • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                        • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                        • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                        • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                        • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                        • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                        • Part of subcall function 0040E01E: FindCloseChangeNotification.KERNELBASE(?), ref: 0040E13E
                                      • FindCloseChangeNotification.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                        • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                        • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                        • Part of subcall function 0040E2AB: memcpy.MSVCRT ref: 0040E3EC
                                      • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                      • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                        • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                        • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                        • Part of subcall function 0040E175: ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: File$Close$ChangeFindHandleNotificationProcessViewmemset$??3@CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintfmemcpywcschr
                                      • String ID:
                                      • API String ID: 1042154641-0
                                      • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                      • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                      • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                      • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                      Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                        • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                        • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                        • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                      • memset.MSVCRT ref: 00403A55
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                        • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                        • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                        • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                        • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memsetwcscatwcslen$??3@$AttributesFilememcpywcscpy
                                      • String ID: history.dat$places.sqlite
                                      • API String ID: 3093078384-467022611
                                      • Opcode ID: 05f9737078ef75c1c81c27231a8cbd2d8a2d76354893ce3757c3369515f6e8ef
                                      • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                      • Opcode Fuzzy Hash: 05f9737078ef75c1c81c27231a8cbd2d8a2d76354893ce3757c3369515f6e8ef
                                      • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                      Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                        • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                        • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                      • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                      • GetLastError.KERNEL32 ref: 00417627
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ErrorLast$File$PointerRead
                                      • String ID:
                                      • API String ID: 839530781-0
                                      • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                      • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                      • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                      • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                      Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: FileFindFirst
                                      • String ID: *.*$index.dat
                                      • API String ID: 1974802433-2863569691
                                      • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                      • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                      • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                      • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                      Function 004099F4 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ??3@mallocmemcpy
                                      • String ID:
                                      • API String ID: 3831604043-0
                                      • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                      • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                      • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                      • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                      Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                      • GetLastError.KERNEL32 ref: 004175A2
                                      • GetLastError.KERNEL32 ref: 004175A8
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ErrorLast$FilePointer
                                      • String ID:
                                      • API String ID: 1156039329-0
                                      • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                      • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                      • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                      • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                      Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                      • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                      • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: File$ChangeCloseCreateFindNotificationTime
                                      • String ID:
                                      • API String ID: 1631957507-0
                                      • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                      • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                      • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                      • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                      Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                      • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                      • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Temp$DirectoryFileNamePathWindows
                                      • String ID:
                                      • API String ID: 1125800050-0
                                      • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                      • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                      • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                      • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                      Function 00415320 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • failed memory resize %u to %u bytes, xrefs: 00415358
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: realloc
                                      • String ID: failed memory resize %u to %u bytes
                                      • API String ID: 471065373-2134078882
                                      • Opcode ID: e5ae129d454b891eada76ccbfa458d0a6592737a0e8831e28bd7d44ced5f0510
                                      • Instruction ID: af22f86c8d97814ed0bf188a45fefa7fc909daabc8cee38fca791e75313f3e85
                                      • Opcode Fuzzy Hash: e5ae129d454b891eada76ccbfa458d0a6592737a0e8831e28bd7d44ced5f0510
                                      • Instruction Fuzzy Hash: 49F027B3A01605A7D2109A55DC418CBF3DCDFC4655B06082FF998D3201E168E88083B6
                                      Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: d
                                      • API String ID: 0-2564639436
                                      • Opcode ID: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                      • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                      • Opcode Fuzzy Hash: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                      • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                      Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memset
                                      • String ID: BINARY
                                      • API String ID: 2221118986-907554435
                                      • Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                      • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                      • Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                      • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                      Function 004104FB Relevance: 3.1, APIs: 2, Instructions: 140COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                        • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                                      • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                      • FindCloseChangeNotification.KERNELBASE(?), ref: 00410654
                                        • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                        • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                        • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                        • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ??2@??3@ChangeCloseCreateErrorFileFindHandleLastMessageNotification_snwprintf
                                      • String ID:
                                      • API String ID: 1161345128-0
                                      • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                      • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                      • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                      • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                      Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _wcsicmp
                                      • String ID: /stext
                                      • API String ID: 2081463915-3817206916
                                      • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                      • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                      • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                      • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                      Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                      • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                        • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                        • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                      • FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                        • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: File$ByteCharMultiWide$??2@??3@ChangeCloseCreateFindNotificationReadSize
                                      • String ID:
                                      • API String ID: 159017214-0
                                      • Opcode ID: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                                      • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                      • Opcode Fuzzy Hash: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                                      • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                      Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                      • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                      • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                      • String ID:
                                      • API String ID: 3150196962-0
                                      • Opcode ID: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                      • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                      • Opcode Fuzzy Hash: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                      • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                      Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • failed to allocate %u bytes of memory, xrefs: 004152F0
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: malloc
                                      • String ID: failed to allocate %u bytes of memory
                                      • API String ID: 2803490479-1168259600
                                      • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                      • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                      • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                      • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                      Function 0040B1AB Relevance: 3.0, APIs: 2, Instructions: 14COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ??3@
                                      • String ID:
                                      • API String ID: 613200358-0
                                      • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                      • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                      • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                      • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                      Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcmpmemset
                                      • String ID:
                                      • API String ID: 1065087418-0
                                      • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                      • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                      • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                      • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                      Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                        • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                        • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                        • Part of subcall function 0040A02C: FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                      • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: File$Time$ChangeCloseCompareCreateFindNotificationmemset
                                      • String ID:
                                      • API String ID: 1481295809-0
                                      • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                      • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                      • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                      • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                      Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                      • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                      • String ID:
                                      • API String ID: 3150196962-0
                                      • Opcode ID: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                      • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                      • Opcode Fuzzy Hash: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                      • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                      Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: File$PointerRead
                                      • String ID:
                                      • API String ID: 3154509469-0
                                      • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                      • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                      • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                      • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                      Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                        • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                        • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                        • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: PrivateProfile$StringWrite_itowmemset
                                      • String ID:
                                      • API String ID: 4232544981-0
                                      • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                      • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                      • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                      • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                      Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                      Download Yara Rule
                                      APIs
                                      • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: FreeLibrary
                                      • String ID:
                                      • API String ID: 3664257935-0
                                      • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                      • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                      • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                      • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                      Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                      • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: AddressProc$FileModuleName
                                      • String ID:
                                      • API String ID: 3859505661-0
                                      • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                      • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                      • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                      • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                      Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: FileRead
                                      • String ID:
                                      • API String ID: 2738559852-0
                                      • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                      • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                      • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                      • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                      Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: FileWrite
                                      • String ID:
                                      • API String ID: 3934441357-0
                                      • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                      • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                      • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                      • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                      Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                      Download Yara Rule
                                      APIs
                                      • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: FreeLibrary
                                      • String ID:
                                      • API String ID: 3664257935-0
                                      • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                      • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                      • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                      • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                      Function 0040B633 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ??3@
                                      • String ID:
                                      • API String ID: 613200358-0
                                      • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                      • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                      • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                      • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                      Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                      • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                      • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                      • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                      Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                      • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                      • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                      • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                      Function 0040AA04 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ??3@
                                      • String ID:
                                      • API String ID: 613200358-0
                                      • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                      • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                      • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                      • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                      Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ??3@
                                      • String ID:
                                      • API String ID: 613200358-0
                                      • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                      • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                      • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                      • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                      Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                      Download Yara Rule
                                      APIs
                                      • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: FreeLibrary
                                      • String ID:
                                      • API String ID: 3664257935-0
                                      • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                      • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                      • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                      • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                      Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                      Download Yara Rule
                                      APIs
                                      • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: EnumNamesResource
                                      • String ID:
                                      • API String ID: 3334572018-0
                                      • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                      • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                      • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                      • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                      Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                      Download Yara Rule
                                      APIs
                                      • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: FreeLibrary
                                      • String ID:
                                      • API String ID: 3664257935-0
                                      • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                      • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                      • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                      • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                      Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                      Download Yara Rule
                                      APIs
                                      • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: CloseFind
                                      • String ID:
                                      • API String ID: 1863332320-0
                                      • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                      • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                      • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                      • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                      Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Open
                                      • String ID:
                                      • API String ID: 71445658-0
                                      • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                      • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                      • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                      • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                      Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: AttributesFile
                                      • String ID:
                                      • API String ID: 3188754299-0
                                      • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                      • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                      • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                      • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                      Function 00415304 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ??3@
                                      • String ID:
                                      • API String ID: 613200358-0
                                      • Opcode ID: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                      • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                      • Opcode Fuzzy Hash: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                      • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E
                                      Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                      • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                      • Opcode Fuzzy Hash: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                      • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                      Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 004095FC
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                        • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                        • Part of subcall function 004091B8: memcpy.MSVCRT ref: 004092C9
                                        • Part of subcall function 004091B8: memcmp.MSVCRT ref: 004092D9
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                      • String ID:
                                      • API String ID: 3655998216-0
                                      • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                      • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                      • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                      • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                      Function 00415B2C Relevance: 1.3, APIs: 1, Instructions: 62COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c75aee8a2a8dfae17061e24b09256e9f24568c4c4acdadc464b978748c80593b
                                      • Instruction ID: 56811e6a31311fae19106e74f332fd481794b0d175407c03959d21f12539f693
                                      • Opcode Fuzzy Hash: c75aee8a2a8dfae17061e24b09256e9f24568c4c4acdadc464b978748c80593b
                                      • Instruction Fuzzy Hash: 4201E572109E01E6DB1029278C81AF766899FC0399F14016FF94886281EEA8EEC542AE
                                      Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00445426
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                        • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                        • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                      • String ID:
                                      • API String ID: 1828521557-0
                                      • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                      • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                      • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                      • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                      Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _wcsicmp
                                      • String ID:
                                      • API String ID: 2081463915-0
                                      • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                      • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                      • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                      • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                      Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                      • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: File$CloseCreateErrorHandleLastRead
                                      • String ID:
                                      • API String ID: 2136311172-0
                                      • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                      • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                      • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                      • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                      Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                                      • ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ??2@??3@
                                      • String ID:
                                      • API String ID: 1936579350-0
                                      • Opcode ID: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                      • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                      • Opcode Fuzzy Hash: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                      • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8

                                      Non-executed Functions

                                      Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • EmptyClipboard.USER32 ref: 004098EC
                                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                      • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                      • GlobalFix.KERNEL32(00000000), ref: 00409927
                                      • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                      • GlobalUnWire.KERNEL32(00000000), ref: 0040994C
                                      • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                      • GetLastError.KERNEL32 ref: 0040995D
                                      • CloseHandle.KERNEL32(?), ref: 00409969
                                      • GetLastError.KERNEL32 ref: 00409974
                                      • CloseClipboard.USER32 ref: 0040997D
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleReadSizeWire
                                      • String ID:
                                      • API String ID: 2565263379-0
                                      • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                      • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                      • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                      • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                      Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                      • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                      • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                      • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Library$AddressFreeLoadMessageProc
                                      • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                      • API String ID: 2780580303-317687271
                                      • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                      • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                      • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                      • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                      Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • EmptyClipboard.USER32 ref: 00409882
                                      • wcslen.MSVCRT ref: 0040988F
                                      • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                      • GlobalFix.KERNEL32(00000000), ref: 004098AC
                                      • memcpy.MSVCRT ref: 004098B5
                                      • GlobalUnWire.KERNEL32(00000000), ref: 004098BE
                                      • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                      • CloseClipboard.USER32 ref: 004098D7
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ClipboardGlobal$AllocCloseDataEmptyWirememcpywcslen
                                      • String ID:
                                      • API String ID: 2014503067-0
                                      • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                      • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                      • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                      • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                      Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32 ref: 004182D7
                                        • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                      • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                      • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                      • LocalFree.KERNEL32(?), ref: 00418342
                                      • ??3@YAXPAX@Z.MSVCRT ref: 00418370
                                        • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,771ADF80,?,0041755F,?), ref: 00417452
                                        • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: FormatMessage$??3@ByteCharErrorFreeLastLocalMultiVersionWidemalloc
                                      • String ID: OsError 0x%x (%u)
                                      • API String ID: 403622227-2664311388
                                      • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                      • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                      • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                      • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                      Function 0041183A Relevance: 4.5, APIs: 3, Instructions: 44fileclipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                        • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                        • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                      • OpenClipboard.USER32(?), ref: 00411878
                                      • GetLastError.KERNEL32 ref: 0041188D
                                      • DeleteFileW.KERNEL32(?), ref: 004118AC
                                        • Part of subcall function 004098E2: EmptyClipboard.USER32 ref: 004098EC
                                        • Part of subcall function 004098E2: GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                        • Part of subcall function 004098E2: GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                        • Part of subcall function 004098E2: GlobalFix.KERNEL32(00000000), ref: 00409927
                                        • Part of subcall function 004098E2: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                        • Part of subcall function 004098E2: GlobalUnWire.KERNEL32(00000000), ref: 0040994C
                                        • Part of subcall function 004098E2: SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                        • Part of subcall function 004098E2: CloseHandle.KERNEL32(?), ref: 00409969
                                        • Part of subcall function 004098E2: CloseClipboard.USER32 ref: 0040997D
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ClipboardFile$Global$CloseTemp$AllocDataDeleteDirectoryEmptyErrorHandleLastNameOpenPathReadSizeWindowsWire
                                      • String ID:
                                      • API String ID: 1203541146-0
                                      • Opcode ID: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                                      • Instruction ID: 30b21b9b2413019ae2959f490c9fe9c3e0a1eb79cd5a134b572bdad6ddd06780
                                      • Opcode Fuzzy Hash: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                                      • Instruction Fuzzy Hash: C7F0A4367003006BEA203B729C4EFDB379DAB80710F04453AB965A62E2DE78EC818518
                                      Function 00401806 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ??2@??3@memcpymemset
                                      • String ID:
                                      • API String ID: 1865533344-0
                                      • Opcode ID: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                      • Instruction ID: 142cde259e2f0f6626273334703b570cf32d48e622dac596d848113b95f58250
                                      • Opcode Fuzzy Hash: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                      • Instruction Fuzzy Hash: D7113C71900209EFDF10AF95C805AAE3B71FF09325F04C16AFD15662A1C7798E21EF5A
                                      Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetVersionExW.KERNEL32(?), ref: 004173BE
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Version
                                      • String ID:
                                      • API String ID: 1889659487-0
                                      • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                      • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                                      • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                      • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                                      Function 004018C0 Relevance: 1.5, APIs: 1, Instructions: 6nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtdllDefWindowProc_W.NTDLL(?,?,?,?,00401B0D,?,?,?), ref: 004018D2
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: NtdllProc_Window
                                      • String ID:
                                      • API String ID: 4255912815-0
                                      • Opcode ID: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                      • Instruction ID: 27e4c09127093a565ccbabfb03fa630377511b1425115cef73ae3fc8c8acf6c4
                                      • Opcode Fuzzy Hash: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                      • Instruction Fuzzy Hash: BEC0483A108200FFCA024B81DD08D0ABFA2BB98320F00C868B2AC0403187338022EB02
                                      Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcsicmp.MSVCRT ref: 004022A6
                                      • _wcsicmp.MSVCRT ref: 004022D7
                                      • _wcsicmp.MSVCRT ref: 00402305
                                      • _wcsicmp.MSVCRT ref: 00402333
                                        • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                        • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                                      • memset.MSVCRT ref: 0040265F
                                      • memcpy.MSVCRT ref: 0040269B
                                        • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                        • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                      • memcpy.MSVCRT ref: 004026FF
                                      • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                      • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _wcsicmp$Freememcpy$Library$AddressLocalProcmemsetwcslen
                                      • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                      • API String ID: 577499730-1134094380
                                      • Opcode ID: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                                      • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                      • Opcode Fuzzy Hash: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                                      • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                      Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                      • String ID: :stringdata$ftp://$http://$https://
                                      • API String ID: 2787044678-1921111777
                                      • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                      • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                      • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                      • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                      Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                      • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                      • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                      • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                      • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                      • GetWindowRect.USER32(?,?), ref: 00414088
                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                      • GetDC.USER32 ref: 004140E3
                                      • wcslen.MSVCRT ref: 00414123
                                      • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                      • ReleaseDC.USER32(?,?), ref: 00414181
                                      • _snwprintf.MSVCRT ref: 00414244
                                      • SetWindowTextW.USER32(?,?), ref: 00414258
                                      • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                      • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                      • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                      • GetClientRect.USER32(?,?), ref: 004142E1
                                      • GetWindowRect.USER32(?,?), ref: 004142EB
                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                      • GetClientRect.USER32(?,?), ref: 0041433B
                                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                      • String ID: %s:$EDIT$STATIC
                                      • API String ID: 2080319088-3046471546
                                      • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                      • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                      • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                      • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                      Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • EndDialog.USER32(?,?), ref: 00413221
                                      • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                      • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                      • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                      • memset.MSVCRT ref: 00413292
                                      • memset.MSVCRT ref: 004132B4
                                      • memset.MSVCRT ref: 004132CD
                                      • memset.MSVCRT ref: 004132E1
                                      • memset.MSVCRT ref: 004132FB
                                      • memset.MSVCRT ref: 00413310
                                      • GetCurrentProcess.KERNEL32 ref: 00413318
                                      • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                      • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                      • memset.MSVCRT ref: 004133C0
                                      • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                      • memcpy.MSVCRT ref: 004133FC
                                      • wcscpy.MSVCRT ref: 0041341F
                                      • _snwprintf.MSVCRT ref: 0041348E
                                      • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                      • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                      • SetFocus.USER32(00000000), ref: 004134B7
                                      Strings
                                      • {Unknown}, xrefs: 004132A6
                                      • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                      • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                      • API String ID: 4111938811-1819279800
                                      • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                      • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                      • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                      • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                      Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                      • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                      • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                      • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                      • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                      • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                      • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                      • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                      • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                      • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                      • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                      • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                      • EndDialog.USER32(?,?), ref: 0040135E
                                      • DeleteObject.GDI32(?), ref: 0040136A
                                      • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                      • ShowWindow.USER32(00000000), ref: 00401398
                                      • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                      • ShowWindow.USER32(00000000), ref: 004013A7
                                      • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                      • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                      • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                      • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                      • String ID:
                                      • API String ID: 829165378-0
                                      • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                      • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                      • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                      • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                      Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00404172
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                      • wcscpy.MSVCRT ref: 004041D6
                                      • wcscpy.MSVCRT ref: 004041E7
                                      • memset.MSVCRT ref: 00404200
                                      • memset.MSVCRT ref: 00404215
                                      • _snwprintf.MSVCRT ref: 0040422F
                                      • wcscpy.MSVCRT ref: 00404242
                                      • memset.MSVCRT ref: 0040426E
                                      • memset.MSVCRT ref: 004042CD
                                      • memset.MSVCRT ref: 004042E2
                                      • _snwprintf.MSVCRT ref: 004042FE
                                      • wcscpy.MSVCRT ref: 00404311
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                      • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                      • API String ID: 2454223109-1580313836
                                      • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                      • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                      • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                      • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                      Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                      • SetMenu.USER32(?,00000000), ref: 00411453
                                      • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                      • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                      • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                      • memcpy.MSVCRT ref: 004115C8
                                      • ShowWindow.USER32(?,?), ref: 004115FE
                                      • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                      • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                      • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                      • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                      • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                        • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                        • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                      • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                      • API String ID: 4054529287-3175352466
                                      • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                      • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                      • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                      • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                      Function 00414F1E Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: wcscat$_snwprintfmemset$wcscpy
                                      • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                      • API String ID: 3143752011-1996832678
                                      • Opcode ID: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                      • Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
                                      • Opcode Fuzzy Hash: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                      • Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D
                                      Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                      • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                      • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                      • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                      • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                      • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                      • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                      • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                      • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: AddressProc$HandleModule
                                      • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                      • API String ID: 667068680-2887671607
                                      • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                      • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                      • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                      • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                      Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _snwprintfmemset$wcscpy$wcscat
                                      • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                      • API String ID: 1607361635-601624466
                                      • Opcode ID: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                      • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                      • Opcode Fuzzy Hash: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                      • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                      Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _snwprintf$memset$wcscpy
                                      • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                      • API String ID: 2000436516-3842416460
                                      • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                      • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                      • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                      • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                      Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                        • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                        • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                        • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                        • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                        • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                        • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                        • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                        • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                        • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                        • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                      • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                      • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                      • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                      • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                      • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                      • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                      • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                      • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                      • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                      • String ID:
                                      • API String ID: 1043902810-0
                                      • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                      • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                      • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                      • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                      Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                        • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040E49A
                                        • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                      • memset.MSVCRT ref: 0040E380
                                        • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                        • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                                      • wcschr.MSVCRT ref: 0040E3B8
                                      • memcpy.MSVCRT ref: 0040E3EC
                                      • memcpy.MSVCRT ref: 0040E407
                                      • memcpy.MSVCRT ref: 0040E422
                                      • memcpy.MSVCRT ref: 0040E43D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcpy$_wcsicmpmemset$??3@wcschrwcslen
                                      • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                      • API String ID: 3073804840-2252543386
                                      • Opcode ID: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                      • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                      • Opcode Fuzzy Hash: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                      • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                      Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ??2@??3@_snwprintfwcscpy
                                      • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                      • API String ID: 2899246560-1542517562
                                      • Opcode ID: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                      • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                      • Opcode Fuzzy Hash: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                      • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                      Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040DBCD
                                      • memset.MSVCRT ref: 0040DBE9
                                        • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                        • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT ref: 0044480A
                                        • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                                        • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                                      • wcscpy.MSVCRT ref: 0040DC2D
                                      • wcscpy.MSVCRT ref: 0040DC3C
                                      • wcscpy.MSVCRT ref: 0040DC4C
                                      • EnumResourceNamesW.KERNEL32(?,00000004,Function_0000D957,00000000), ref: 0040DCB1
                                      • EnumResourceNamesW.KERNEL32(?,00000005,Function_0000D957,00000000), ref: 0040DCBB
                                      • wcscpy.MSVCRT ref: 0040DCC3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                                      • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                      • API String ID: 3330709923-517860148
                                      • Opcode ID: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                      • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                                      • Opcode Fuzzy Hash: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                      • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                                      Function 00407FDF Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 228COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                        • Part of subcall function 0040CC26: FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                        • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                      • memset.MSVCRT ref: 0040806A
                                      • memset.MSVCRT ref: 0040807F
                                      • _wtoi.MSVCRT ref: 004081AF
                                      • _wcsicmp.MSVCRT ref: 004081C3
                                      • memset.MSVCRT ref: 004081E4
                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274
                                        • Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7
                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B
                                        • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
                                        • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
                                        • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407E7E
                                        • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407ED7
                                        • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407EEE
                                        • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407F01
                                        • Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
                                        • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                        • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$ChangeCloseFileFindNotificationSize_wtoi_wtoi64wcscpy
                                      • String ID: logins$null
                                      • API String ID: 3492182834-2163367763
                                      • Opcode ID: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                      • Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
                                      • Opcode Fuzzy Hash: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                      • Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9
                                      Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                      • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                      • ??2@YAPAXI@Z.MSVCRT ref: 0040859D
                                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                      • memset.MSVCRT ref: 004085CF
                                      • memset.MSVCRT ref: 004085F1
                                      • memset.MSVCRT ref: 00408606
                                      • strcmp.MSVCRT ref: 00408645
                                      • _mbscpy.MSVCRT ref: 004086DB
                                      • _mbscpy.MSVCRT ref: 004086FA
                                      • memset.MSVCRT ref: 0040870E
                                      • strcmp.MSVCRT ref: 0040876B
                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040879D
                                      • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                      • String ID: ---
                                      • API String ID: 3437578500-2854292027
                                      • Opcode ID: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                      • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                      • Opcode Fuzzy Hash: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                      • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                      Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0041087D
                                      • memset.MSVCRT ref: 00410892
                                      • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                      • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                      • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                      • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                      • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                      • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                      • GetSysColor.USER32(0000000F), ref: 00410999
                                      • DeleteObject.GDI32(?), ref: 004109D0
                                      • DeleteObject.GDI32(?), ref: 004109D6
                                      • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                      • String ID:
                                      • API String ID: 1010922700-0
                                      • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                      • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                      • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                      • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                      Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                      • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                      • malloc.MSVCRT ref: 004186B7
                                      • ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                                      • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                      • ??3@YAXPAX@Z.MSVCRT ref: 004186E0
                                      • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                      • malloc.MSVCRT ref: 004186FE
                                      • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                      • ??3@YAXPAX@Z.MSVCRT ref: 00418716
                                      • ??3@YAXPAX@Z.MSVCRT ref: 0041872A
                                      • ??3@YAXPAX@Z.MSVCRT ref: 00418749
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ??3@$FullNamePath$malloc$Version
                                      • String ID: |A
                                      • API String ID: 4233704886-1717621600
                                      • Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                      • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                      • Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                      • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                      Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _wcsicmp
                                      • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                      • API String ID: 2081463915-1959339147
                                      • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                      • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                      • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                      • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                      Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                      • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                      • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                      • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                      • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                      • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                      • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                      • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                      • API String ID: 2012295524-70141382
                                      • Opcode ID: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                      • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                      • Opcode Fuzzy Hash: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                      • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                      Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                      • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                      • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                      • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                      • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                      • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: AddressProc$HandleModule
                                      • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                      • API String ID: 667068680-3953557276
                                      • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                      • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                      • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                      • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                      Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDC.USER32(00000000), ref: 004121FF
                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                      • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                      • SetBkMode.GDI32(?,00000001), ref: 00412232
                                      • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                      • SelectObject.GDI32(?,?), ref: 00412251
                                      • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                      • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                        • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                        • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                        • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                      • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                      • SetCursor.USER32(00000000), ref: 004122BC
                                      • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                      • memcpy.MSVCRT ref: 0041234D
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                      • String ID:
                                      • API String ID: 1700100422-0
                                      • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                      • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                      • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                      • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                      Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetClientRect.USER32(?,?), ref: 004111E0
                                      • GetWindowRect.USER32(?,?), ref: 004111F6
                                      • GetWindowRect.USER32(?,?), ref: 0041120C
                                      • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                      • GetWindowRect.USER32(00000000), ref: 0041124D
                                      • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                      • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                      • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                      • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                      • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                      • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                      • EndDeferWindowPos.USER32(?), ref: 0041130B
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Window$Defer$Rect$BeginClientItemPoints
                                      • String ID:
                                      • API String ID: 552707033-0
                                      • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                      • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                      • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                      • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                      Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                                        • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                        • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                        • Part of subcall function 0040BFF3: memcpy.MSVCRT ref: 0040C024
                                      • memcpy.MSVCRT ref: 0040C11B
                                      • strchr.MSVCRT ref: 0040C140
                                      • strchr.MSVCRT ref: 0040C151
                                      • _strlwr.MSVCRT ref: 0040C15F
                                      • memset.MSVCRT ref: 0040C17A
                                      • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                      • String ID: 4$h
                                      • API String ID: 4066021378-1856150674
                                      • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                      • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                      • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                      • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                      Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memset$_snwprintf
                                      • String ID: %%0.%df
                                      • API String ID: 3473751417-763548558
                                      • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                      • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                      • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                      • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                      Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                      • KillTimer.USER32(?,00000041), ref: 004060D7
                                      • KillTimer.USER32(?,00000041), ref: 004060E8
                                      • GetTickCount.KERNEL32 ref: 0040610B
                                      • GetParent.USER32(?), ref: 00406136
                                      • SendMessageW.USER32(00000000), ref: 0040613D
                                      • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                      • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                      • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                      • String ID: A
                                      • API String ID: 2892645895-3554254475
                                      • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                      • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                      • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                      • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                      Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadMenuW.USER32(?,?), ref: 0040D97F
                                        • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                        • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                        • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                        • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                      • DestroyMenu.USER32(00000000), ref: 0040D99D
                                      • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                      • GetDesktopWindow.USER32 ref: 0040D9FD
                                      • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                      • memset.MSVCRT ref: 0040DA23
                                      • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                      • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                      • DestroyWindow.USER32(00000005), ref: 0040DA70
                                        • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                      • String ID: caption
                                      • API String ID: 973020956-4135340389
                                      • Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                      • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                      • Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                      • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                      Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                      • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                      • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                      • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memset$_snwprintf$wcscpy
                                      • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                      • API String ID: 1283228442-2366825230
                                      • Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                      • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                      • Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                      • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                      Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                      Download Yara Rule
                                      APIs
                                      • wcschr.MSVCRT ref: 00413972
                                      • wcscpy.MSVCRT ref: 00413982
                                        • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                        • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                        • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                      • wcscpy.MSVCRT ref: 004139D1
                                      • wcscat.MSVCRT ref: 004139DC
                                      • memset.MSVCRT ref: 004139B8
                                        • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                        • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                      • memset.MSVCRT ref: 00413A00
                                      • memcpy.MSVCRT ref: 00413A1B
                                      • wcscat.MSVCRT ref: 00413A27
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                      • String ID: \systemroot
                                      • API String ID: 4173585201-1821301763
                                      • Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                      • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                      • Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                      • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                      Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: wcscpy
                                      • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                      • API String ID: 1284135714-318151290
                                      • Opcode ID: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                      • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                                      • Opcode Fuzzy Hash: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                      • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                                      Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                      • String ID: 0$6
                                      • API String ID: 4066108131-3849865405
                                      • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                      • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                      • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                      • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                      Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 004082EF
                                        • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                      • memset.MSVCRT ref: 00408362
                                      • memset.MSVCRT ref: 00408377
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memset$ByteCharMultiWide
                                      • String ID:
                                      • API String ID: 290601579-0
                                      • Opcode ID: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                      • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                      • Opcode Fuzzy Hash: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                      • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                      Function 00444E84 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcpy$memchrmemset
                                      • String ID: PD$PD
                                      • API String ID: 1581201632-2312785699
                                      • Opcode ID: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                      • Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
                                      • Opcode Fuzzy Hash: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                      • Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4
                                      Function 00409F42 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemMetrics.USER32(00000011), ref: 00409F5B
                                      • GetSystemMetrics.USER32(00000010), ref: 00409F61
                                      • GetDC.USER32(00000000), ref: 00409F6E
                                      • GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
                                      • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
                                      • ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
                                      • GetWindowRect.USER32(?,?), ref: 00409FA0
                                      • GetParent.USER32(?), ref: 00409FA5
                                      • GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
                                      • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                      • String ID:
                                      • API String ID: 2163313125-0
                                      • Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                      • Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
                                      • Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                      • Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50
                                      Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ??3@$wcslen
                                      • String ID:
                                      • API String ID: 239872665-3916222277
                                      • Opcode ID: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                      • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                      • Opcode Fuzzy Hash: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                      • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                      Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcpywcslen$_snwprintfmemset
                                      • String ID: %s (%s)$YV@
                                      • API String ID: 3979103747-598926743
                                      • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                      • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                      • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                      • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                      Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                      • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                      • wcslen.MSVCRT ref: 0040A6B1
                                      • wcscpy.MSVCRT ref: 0040A6C1
                                      • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                      • wcscpy.MSVCRT ref: 0040A6DB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                      • String ID: Unknown Error$netmsg.dll
                                      • API String ID: 2767993716-572158859
                                      • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                      • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                      • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                      • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                      Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                      • wcscpy.MSVCRT ref: 0040DAFB
                                      • wcscpy.MSVCRT ref: 0040DB0B
                                      • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                        • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: PrivateProfilewcscpy$AttributesFileString
                                      • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                      • API String ID: 3176057301-2039793938
                                      • Opcode ID: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                      • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                      • Opcode Fuzzy Hash: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                      • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                      Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • cannot ATTACH database within transaction, xrefs: 0042F663
                                      • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                      • database %s is already in use, xrefs: 0042F6C5
                                      • too many attached databases - max %d, xrefs: 0042F64D
                                      • database is already attached, xrefs: 0042F721
                                      • unable to open database: %s, xrefs: 0042F84E
                                      • out of memory, xrefs: 0042F865
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcpymemset
                                      • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                      • API String ID: 1297977491-2001300268
                                      • Opcode ID: bc1e043490782c929c709f26cda1c8b0ebc87db0ce4dfb41b9d8c8297906dfd0
                                      • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                      • Opcode Fuzzy Hash: bc1e043490782c929c709f26cda1c8b0ebc87db0ce4dfb41b9d8c8297906dfd0
                                      • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                      Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                                      • ??2@YAPAXI@Z.MSVCRT ref: 0040EB3F
                                      • ??2@YAPAXI@Z.MSVCRT ref: 0040EB5B
                                      • memcpy.MSVCRT ref: 0040EB80
                                      • memcpy.MSVCRT ref: 0040EB94
                                      • ??2@YAPAXI@Z.MSVCRT ref: 0040EC17
                                      • ??2@YAPAXI@Z.MSVCRT ref: 0040EC21
                                      • ??2@YAPAXI@Z.MSVCRT ref: 0040EC59
                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                        • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                        • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                        • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                        • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                      • String ID: ($d
                                      • API String ID: 1140211610-1915259565
                                      • Opcode ID: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                                      • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                      • Opcode Fuzzy Hash: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                                      • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                      Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                      • Sleep.KERNEL32(00000001), ref: 004178E9
                                      • GetLastError.KERNEL32 ref: 004178FB
                                      • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: File$ErrorLastLockSleepUnlock
                                      • String ID:
                                      • API String ID: 3015003838-0
                                      • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                      • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                      • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                      • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                      Function 00407E1E Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00407E44
                                      • memset.MSVCRT ref: 00407E5B
                                      • _mbscpy.MSVCRT ref: 00407E7E
                                      • _mbscpy.MSVCRT ref: 00407ED7
                                      • _mbscpy.MSVCRT ref: 00407EEE
                                      • _mbscpy.MSVCRT ref: 00407F01
                                      • wcscpy.MSVCRT ref: 00407F10
                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                                      • String ID:
                                      • API String ID: 59245283-0
                                      • Opcode ID: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                      • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                                      • Opcode Fuzzy Hash: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                      • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                                      Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteFileW.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                      • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                      • GetLastError.KERNEL32 ref: 0041855C
                                      • Sleep.KERNEL32(00000064), ref: 00418571
                                      • DeleteFileA.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                      • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                      • GetLastError.KERNEL32 ref: 0041858E
                                      • Sleep.KERNEL32(00000064), ref: 004185A3
                                      • ??3@YAXPAX@Z.MSVCRT ref: 004185AC
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: File$AttributesDeleteErrorLastSleep$??3@
                                      • String ID:
                                      • API String ID: 3467550082-0
                                      • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                      • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                      • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                      • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                      Function 00414E7F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcpy
                                      • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                      • API String ID: 3510742995-3273207271
                                      • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                      • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                                      • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                      • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                                      Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,004133E1,00000000,?), ref: 00413A7A
                                      • memset.MSVCRT ref: 00413ADC
                                      • memset.MSVCRT ref: 00413AEC
                                        • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                      • memset.MSVCRT ref: 00413BD7
                                      • wcscpy.MSVCRT ref: 00413BF8
                                      • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,?), ref: 00413C4E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memset$wcscpy$CloseHandleOpenProcess
                                      • String ID: 3A
                                      • API String ID: 3300951397-293699754
                                      • Opcode ID: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                      • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                      • Opcode Fuzzy Hash: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                      • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                      Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                      • wcscpy.MSVCRT ref: 0040D1B5
                                        • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                        • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                      • wcslen.MSVCRT ref: 0040D1D3
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                      • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                      • memcpy.MSVCRT ref: 0040D24C
                                        • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0CC
                                        • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0EA
                                        • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D108
                                        • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D126
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                      • String ID: strings
                                      • API String ID: 3166385802-3030018805
                                      • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                      • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                      • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                      • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                      Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00411AF6
                                        • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                      • wcsrchr.MSVCRT ref: 00411B14
                                      • wcscat.MSVCRT ref: 00411B2E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: FileModuleNamememsetwcscatwcsrchr
                                      • String ID: AE$.cfg$General$EA
                                      • API String ID: 776488737-1622828088
                                      • Opcode ID: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                      • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                      • Opcode Fuzzy Hash: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                      • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                      Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040D8BD
                                      • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                      • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                      • memset.MSVCRT ref: 0040D906
                                      • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                      • _wcsicmp.MSVCRT ref: 0040D92F
                                        • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                        • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                      • String ID: sysdatetimepick32
                                      • API String ID: 1028950076-4169760276
                                      • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                      • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                      • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                      • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                      Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcpy$memset
                                      • String ID: -journal$-wal
                                      • API String ID: 438689982-2894717839
                                      • Opcode ID: 4ac88023d002366decc5273a510af2ce11e9bf28f765889455521809b037904a
                                      • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                      • Opcode Fuzzy Hash: 4ac88023d002366decc5273a510af2ce11e9bf28f765889455521809b037904a
                                      • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                      Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                                      • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                                      • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                                      • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                                      • EndDialog.USER32(?,00000002), ref: 00405C83
                                      • EndDialog.USER32(?,00000001), ref: 00405C98
                                        • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                                        • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                                      • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                                      • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Item$Dialog$MessageSend
                                      • String ID:
                                      • API String ID: 3975816621-0
                                      • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                      • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                                      • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                      • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                                      Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcsicmp.MSVCRT ref: 00444D09
                                      • _wcsicmp.MSVCRT ref: 00444D1E
                                      • _wcsicmp.MSVCRT ref: 00444D33
                                        • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                        • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                        • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _wcsicmp$wcslen$_memicmp
                                      • String ID: .save$http://$https://$log profile$signIn
                                      • API String ID: 1214746602-2708368587
                                      • Opcode ID: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                      • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                                      • Opcode Fuzzy Hash: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                      • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                                      Function 00405DD1 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                      • String ID:
                                      • API String ID: 2313361498-0
                                      • Opcode ID: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                                      • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                                      • Opcode Fuzzy Hash: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                                      • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                                      Function 00405F4E Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetClientRect.USER32(?,?), ref: 00405F65
                                      • GetWindow.USER32(?,00000005), ref: 00405F7D
                                      • GetWindow.USER32(00000000), ref: 00405F80
                                        • Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748
                                      • GetWindow.USER32(00000000,00000002), ref: 00405F8C
                                      • GetDlgItem.USER32(?,0000040C), ref: 00405FA2
                                      • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
                                      • GetDlgItem.USER32(?,0000040E), ref: 00405FEB
                                      • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Window$ItemMessageRectSend$Client
                                      • String ID:
                                      • API String ID: 2047574939-0
                                      • Opcode ID: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                      • Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
                                      • Opcode Fuzzy Hash: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                      • Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9
                                      Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                      • String ID:
                                      • API String ID: 4218492932-0
                                      • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                      • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                      • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                      • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                      Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                        • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                        • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A75D
                                        • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A7AA
                                      • memcpy.MSVCRT ref: 0044A8BF
                                      • memcpy.MSVCRT ref: 0044A90C
                                      • memcpy.MSVCRT ref: 0044A988
                                        • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A422
                                        • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A46E
                                      • memcpy.MSVCRT ref: 0044A9D8
                                      • memcpy.MSVCRT ref: 0044AA19
                                      • memcpy.MSVCRT ref: 0044AA4A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcpy$memset
                                      • String ID: gj
                                      • API String ID: 438689982-4203073231
                                      • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                      • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                      • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                      • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                      Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcpy
                                      • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                                      • API String ID: 3510742995-2446657581
                                      • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                      • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                                      • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                      • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                                      Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                      • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                      • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                      • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                      • memset.MSVCRT ref: 00405ABB
                                      • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                      • SetFocus.USER32(?), ref: 00405B76
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: MessageSend$FocusItemmemset
                                      • String ID:
                                      • API String ID: 4281309102-0
                                      • Opcode ID: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                      • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                      • Opcode Fuzzy Hash: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                      • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                      Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _snwprintfwcscat
                                      • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                      • API String ID: 384018552-4153097237
                                      • Opcode ID: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                      • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                      • Opcode Fuzzy Hash: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                      • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                      Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ItemMenu$CountInfomemsetwcschr
                                      • String ID: 0$6
                                      • API String ID: 2029023288-3849865405
                                      • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                      • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                      • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                      • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                      Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                      • memset.MSVCRT ref: 00405455
                                      • memset.MSVCRT ref: 0040546C
                                      • memset.MSVCRT ref: 00405483
                                      • memcpy.MSVCRT ref: 00405498
                                      • memcpy.MSVCRT ref: 004054AD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memset$memcpy$ErrorLast
                                      • String ID: 6$\
                                      • API String ID: 404372293-1284684873
                                      • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                      • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                      • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                      • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                      Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                      • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                      • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                      • wcscpy.MSVCRT ref: 0040A0D9
                                      • wcscat.MSVCRT ref: 0040A0E6
                                      • wcscat.MSVCRT ref: 0040A0F5
                                      • wcscpy.MSVCRT ref: 0040A107
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                      • String ID:
                                      • API String ID: 1331804452-0
                                      • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                      • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                      • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                      • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                      Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                      • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                      • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                      • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                      • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                      • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                      • String ID: advapi32.dll
                                      • API String ID: 2012295524-4050573280
                                      • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                      • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                      • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                      • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                      Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • <?xml version="1.0" ?>, xrefs: 0041007C
                                      • <%s>, xrefs: 004100A6
                                      • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memset$_snwprintf
                                      • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                      • API String ID: 3473751417-2880344631
                                      • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                      • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                      • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                      • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                      Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: wcscat$_snwprintfmemset
                                      • String ID: %2.2X
                                      • API String ID: 2521778956-791839006
                                      • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                      • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                      • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                      • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                      Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _snwprintfwcscpy
                                      • String ID: dialog_%d$general$menu_%d$strings
                                      • API String ID: 999028693-502967061
                                      • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                      • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                      • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                      • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                      Function 00408D96 Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcpy$memsetstrlen
                                      • String ID:
                                      • API String ID: 2350177629-0
                                      • Opcode ID: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                      • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                                      • Opcode Fuzzy Hash: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                      • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                                      Function 0042ADCD Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memset
                                      • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                      • API String ID: 2221118986-1606337402
                                      • Opcode ID: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                      • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                                      • Opcode Fuzzy Hash: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                      • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                                      Function 00408F2F Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcmpmemset$_mbscpymemcpystrlen
                                      • String ID:
                                      • API String ID: 265355444-0
                                      • Opcode ID: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                      • Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
                                      • Opcode Fuzzy Hash: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                      • Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5
                                      Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                                        • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                                        • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                        • Part of subcall function 0040A9CE: ??3@YAXPAX@Z.MSVCRT ref: 0040A9DD
                                      • memset.MSVCRT ref: 0040C439
                                      • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                      • _wcsupr.MSVCRT ref: 0040C481
                                        • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                        • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                        • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                        • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                      • memset.MSVCRT ref: 0040C4D0
                                      • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ??3@$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                      • String ID:
                                      • API String ID: 1973883786-0
                                      • Opcode ID: 82fa03ba5326a94bf532841c06629f00165d9272e62604655f27a07229e6f7ea
                                      • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                      • Opcode Fuzzy Hash: 82fa03ba5326a94bf532841c06629f00165d9272e62604655f27a07229e6f7ea
                                      • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                      Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 004116FF
                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                        • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                        • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                        • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                        • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                        • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                        • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                        • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                        • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                                        • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                        • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                                        • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                      • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                      • API String ID: 2618321458-3614832568
                                      • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                      • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                      • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                      • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                      Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 004185FC
                                      • GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 0041860A
                                      • ??3@YAXPAX@Z.MSVCRT ref: 00418650
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ??3@AttributesFilememset
                                      • String ID:
                                      • API String ID: 776155459-0
                                      • Opcode ID: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                      • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                      • Opcode Fuzzy Hash: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                      • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                      Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                      • AreFileApisANSI.KERNEL32 ref: 004174FC
                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                      • malloc.MSVCRT ref: 00417524
                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                      • ??3@YAXPAX@Z.MSVCRT ref: 00417544
                                      • ??3@YAXPAX@Z.MSVCRT ref: 00417562
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ??3@ByteCharMultiWide$ApisFilemalloc
                                      • String ID:
                                      • API String ID: 2308052813-0
                                      • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                      • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                      • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                      • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                      Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                      • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                      • ??3@YAXPAX@Z.MSVCRT ref: 0041822B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: PathTemp$??3@
                                      • String ID: %s\etilqs_$etilqs_
                                      • API String ID: 1589464350-1420421710
                                      • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                      • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                      • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                      • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                      Function 0040FD9E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040FDD5
                                        • Part of subcall function 00414E7F: memcpy.MSVCRT ref: 00414EFC
                                        • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                        • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                      • _snwprintf.MSVCRT ref: 0040FE1F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                      • String ID: <%s>%s</%s>$</item>$<item>
                                      • API String ID: 1775345501-2769808009
                                      • Opcode ID: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                      • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                                      • Opcode Fuzzy Hash: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                      • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                                      Function 00414770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • wcscpy.MSVCRT ref: 0041477F
                                      • wcscpy.MSVCRT ref: 0041479A
                                      • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,00411B67,?,General), ref: 004147C1
                                      • CloseHandle.KERNEL32(00000000), ref: 004147C8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: wcscpy$CloseCreateFileHandle
                                      • String ID: General
                                      • API String ID: 999786162-26480598
                                      • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                      • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                      • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                      • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                      Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ErrorLastMessage_snwprintf
                                      • String ID: Error$Error %d: %s
                                      • API String ID: 313946961-1552265934
                                      • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                      • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                      • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                      • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                      Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: foreign key constraint failed$new$oid$old
                                      • API String ID: 0-1953309616
                                      • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                      • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                      • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                      • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                      Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                      • unknown column "%s" in foreign key definition, xrefs: 00431858
                                      • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcpy
                                      • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                      • API String ID: 3510742995-272990098
                                      • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                      • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                      • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                      • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                      Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcpymemset
                                      • String ID: gj
                                      • API String ID: 1297977491-4203073231
                                      • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                      • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                      • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                      • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                      Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040E961
                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040E974
                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040E987
                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040E99A
                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040E9D3
                                        • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ??3@
                                      • String ID:
                                      • API String ID: 613200358-0
                                      • Opcode ID: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                      • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                      • Opcode Fuzzy Hash: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                      • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                      Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                      Download Yara Rule
                                      APIs
                                      • AreFileApisANSI.KERNEL32 ref: 00417497
                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                      • malloc.MSVCRT ref: 004174BD
                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                      • ??3@YAXPAX@Z.MSVCRT ref: 004174E4
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$??3@ApisFilemalloc
                                      • String ID:
                                      • API String ID: 2903831945-0
                                      • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                      • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                      • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                      • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                      Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetParent.USER32(?), ref: 0040D453
                                      • GetWindowRect.USER32(?,?), ref: 0040D460
                                      • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                      • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                      • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Window$Rect$ClientParentPoints
                                      • String ID:
                                      • API String ID: 4247780290-0
                                      • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                      • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                      • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                      • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                      Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                      • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                      • ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                      • memset.MSVCRT ref: 004450CD
                                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                      • ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                                        • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                        • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F63
                                        • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F75
                                        • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F9D
                                      • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                      • String ID:
                                      • API String ID: 1471605966-0
                                      • Opcode ID: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                      • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                      • Opcode Fuzzy Hash: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                      • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                      Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                      Download Yara Rule
                                      APIs
                                      • wcscpy.MSVCRT ref: 0044475F
                                      • wcscat.MSVCRT ref: 0044476E
                                      • wcscat.MSVCRT ref: 0044477F
                                      • wcscat.MSVCRT ref: 0044478E
                                        • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                        • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                        • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?), ref: 00409AA5
                                        • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                      • String ID: \StringFileInfo\
                                      • API String ID: 102104167-2245444037
                                      • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                      • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                      • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                      • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                      Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ??3@
                                      • String ID:
                                      • API String ID: 613200358-0
                                      • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                      • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                      • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                      • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                      Function 0040F508 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcpy$??3@
                                      • String ID: g4@
                                      • API String ID: 3314356048-2133833424
                                      • Opcode ID: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                      • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                      • Opcode Fuzzy Hash: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                      • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                      Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _memicmpwcslen
                                      • String ID: @@@@$History
                                      • API String ID: 1872909662-685208920
                                      • Opcode ID: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                      • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                      • Opcode Fuzzy Hash: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                      • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                      Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 004100FB
                                      • memset.MSVCRT ref: 00410112
                                        • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                        • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                      • _snwprintf.MSVCRT ref: 00410141
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memset$_snwprintf_wcslwrwcscpy
                                      • String ID: </%s>
                                      • API String ID: 3400436232-259020660
                                      • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                      • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                      • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                      • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                      Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040D58D
                                      • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                      • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ChildEnumTextWindowWindowsmemset
                                      • String ID: caption
                                      • API String ID: 1523050162-4135340389
                                      • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                      • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                      • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                      • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                      Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                        • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                      • CreateFontIndirectW.GDI32(?), ref: 00401156
                                      • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                      • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                      • String ID: MS Sans Serif
                                      • API String ID: 210187428-168460110
                                      • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                      • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                      • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                      • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                      Function 00409D7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ClassName_wcsicmpmemset
                                      • String ID: edit
                                      • API String ID: 2747424523-2167791130
                                      • Opcode ID: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                      • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                                      • Opcode Fuzzy Hash: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                      • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                                      Function 00414E13 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                      • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 00414E2B
                                      • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                      • String ID: SHAutoComplete$shlwapi.dll
                                      • API String ID: 3150196962-1506664499
                                      • Opcode ID: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                      • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                                      • Opcode Fuzzy Hash: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                      • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                                      Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcpy$memcmp
                                      • String ID:
                                      • API String ID: 3384217055-0
                                      • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                      • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                      • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                      • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                      Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memset$memcpy
                                      • String ID:
                                      • API String ID: 368790112-0
                                      • Opcode ID: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                      • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                      • Opcode Fuzzy Hash: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                      • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                      Function 00410D9B Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                                        • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                                        • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                                        • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                                        • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                                      • GetMenu.USER32(?), ref: 00410F8D
                                      • GetSubMenu.USER32(00000000), ref: 00410F9A
                                      • GetSubMenu.USER32(00000000), ref: 00410F9D
                                      • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Menu$ItemMessageSend$CheckEnableRadio
                                      • String ID:
                                      • API String ID: 1889144086-0
                                      • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                      • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                                      • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                      • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                                      Function 00417FD5 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
                                      • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
                                      • GetLastError.KERNEL32 ref: 0041810A
                                      • CloseHandle.KERNEL32(00000000), ref: 00418120
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: File$CloseCreateErrorHandleLastMappingView
                                      • String ID:
                                      • API String ID: 1661045500-0
                                      • Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                      • Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
                                      • Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                      • Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99
                                      Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                      • memcpy.MSVCRT ref: 0042EC7A
                                      Strings
                                      • virtual tables may not be altered, xrefs: 0042EBD2
                                      • Cannot add a column to a view, xrefs: 0042EBE8
                                      • sqlite_altertab_%s, xrefs: 0042EC4C
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcpymemset
                                      • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                      • API String ID: 1297977491-2063813899
                                      • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                      • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                                      • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                      • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                                      Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040560C
                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                        • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                        • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                        • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                        • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                        • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                        • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                        • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                        • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                                        • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                        • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                                        • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                      • String ID: *.*$dat$wand.dat
                                      • API String ID: 2618321458-1828844352
                                      • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                      • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                      • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                      • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                      Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                        • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                                      • wcslen.MSVCRT ref: 00410C74
                                      • _wtoi.MSVCRT ref: 00410C80
                                      • _wcsicmp.MSVCRT ref: 00410CCE
                                      • _wcsicmp.MSVCRT ref: 00410CDF
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                      • String ID:
                                      • API String ID: 1549203181-0
                                      • Opcode ID: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                      • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                                      • Opcode Fuzzy Hash: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                      • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                                      Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00412057
                                        • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                      • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                      • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                      • GetKeyState.USER32(00000010), ref: 0041210D
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                      • String ID:
                                      • API String ID: 3550944819-0
                                      • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                      • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                      • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                      • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                      Function 0040A8D0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                      Download Yara Rule
                                      APIs
                                      • wcslen.MSVCRT ref: 0040A8E2
                                        • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                        • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                        • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                      • memcpy.MSVCRT ref: 0040A94F
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ??3@$memcpy$mallocwcslen
                                      • String ID:
                                      • API String ID: 3023356884-0
                                      • Opcode ID: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                      • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                      • Opcode Fuzzy Hash: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                      • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                      Function 0040B1D1 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                      • wcslen.MSVCRT ref: 0040B1DE
                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040B201
                                        • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                        • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                        • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040B224
                                      • memcpy.MSVCRT ref: 0040B248
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ??3@$memcpy$mallocwcslen
                                      • String ID:
                                      • API String ID: 3023356884-0
                                      • Opcode ID: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                      • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                      • Opcode Fuzzy Hash: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                      • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                      Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcpy
                                      • String ID: @
                                      • API String ID: 3510742995-2766056989
                                      • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                      • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                      • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                      • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                      Function 0040AED2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ??2@??3@memcpymemset
                                      • String ID:
                                      • API String ID: 1865533344-0
                                      • Opcode ID: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
                                      • Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
                                      • Opcode Fuzzy Hash: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
                                      • Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55
                                      Function 0040B0D1 Relevance: 6.1, APIs: 4, Instructions: 55stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • strlen.MSVCRT ref: 0040B0D8
                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040B0FB
                                        • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                        • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                        • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040B12C
                                      • memcpy.MSVCRT ref: 0040B159
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ??3@$memcpy$mallocstrlen
                                      • String ID:
                                      • API String ID: 1171893557-0
                                      • Opcode ID: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                      • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                      • Opcode Fuzzy Hash: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                      • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                      Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 004144E7
                                        • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                        • Part of subcall function 0040A353: memcpy.MSVCRT ref: 0040A3A8
                                      • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                      • memset.MSVCRT ref: 0041451A
                                      • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                      • String ID:
                                      • API String ID: 1127616056-0
                                      • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                      • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                      • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                      • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                      Function 0042FE8B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcpy$memset
                                      • String ID: sqlite_master
                                      • API String ID: 438689982-3163232059
                                      • Opcode ID: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                      • Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
                                      • Opcode Fuzzy Hash: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                      • Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795
                                      Function 00414D8A Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                      Download Yara Rule
                                      APIs
                                      • SHGetMalloc.SHELL32(?), ref: 00414D9A
                                      • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                                      • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                                      • wcscpy.MSVCRT ref: 00414DF3
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: BrowseFolderFromListMallocPathwcscpy
                                      • String ID:
                                      • API String ID: 3917621476-0
                                      • Opcode ID: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                      • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                                      • Opcode Fuzzy Hash: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                      • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                                      Function 00410FB4 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                        • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                        • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                      • _snwprintf.MSVCRT ref: 00410FE1
                                      • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046
                                        • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                        • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                      • _snwprintf.MSVCRT ref: 0041100C
                                      • wcscat.MSVCRT ref: 0041101F
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                      • String ID:
                                      • API String ID: 822687973-0
                                      • Opcode ID: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                      • Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
                                      • Opcode Fuzzy Hash: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                      • Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D
                                      Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                      Download Yara Rule
                                      APIs
                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,771ADF80,?,0041755F,?), ref: 00417452
                                      • malloc.MSVCRT ref: 00417459
                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,771ADF80,?,0041755F,?), ref: 00417478
                                      • ??3@YAXPAX@Z.MSVCRT ref: 0041747F
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$??3@malloc
                                      • String ID:
                                      • API String ID: 4284152360-0
                                      • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                      • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                      • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                      • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                      Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                      • RegisterClassW.USER32(?), ref: 00412428
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                      • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: HandleModule$ClassCreateRegisterWindow
                                      • String ID:
                                      • API String ID: 2678498856-0
                                      • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                      • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                      • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                      • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                      Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,?), ref: 00409B40
                                      • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                                      • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                                      • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: MessageSend$Item
                                      • String ID:
                                      • API String ID: 3888421826-0
                                      • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                      • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                                      • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                      • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                                      Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00417B7B
                                      • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                                      • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                                      • GetLastError.KERNEL32 ref: 00417BB5
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: File$ErrorLastLockUnlockmemset
                                      • String ID:
                                      • API String ID: 3727323765-0
                                      • Opcode ID: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                      • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                                      • Opcode Fuzzy Hash: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                      • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                                      Function 004173E4 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                      • malloc.MSVCRT ref: 00417407
                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                      • ??3@YAXPAX@Z.MSVCRT ref: 00417425
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$??3@malloc
                                      • String ID:
                                      • API String ID: 4284152360-0
                                      • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                      • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                      • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                      • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                      Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040F673
                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                      • strlen.MSVCRT ref: 0040F6A2
                                      • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ByteCharFileMultiWideWritememsetstrlen
                                      • String ID:
                                      • API String ID: 2754987064-0
                                      • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                      • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                      • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                      • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                      Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040F6E2
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                                      • strlen.MSVCRT ref: 0040F70D
                                      • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ByteCharFileMultiWideWritememsetstrlen
                                      • String ID:
                                      • API String ID: 2754987064-0
                                      • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                      • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                      • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                      • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                      Function 00402FB2 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00402FD7
                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
                                      • strlen.MSVCRT ref: 00403006
                                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ByteCharFileMultiWideWritememsetstrlen
                                      • String ID:
                                      • API String ID: 2754987064-0
                                      • Opcode ID: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                      • Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
                                      • Opcode Fuzzy Hash: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                      • Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9
                                      Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                        • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                        • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                      • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                      • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                      • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                      • GetStockObject.GDI32(00000000), ref: 004143C6
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                      • String ID:
                                      • API String ID: 764393265-0
                                      • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                      • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                      • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                      • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                      Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                      • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                      • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Time$System$File$LocalSpecific
                                      • String ID:
                                      • API String ID: 979780441-0
                                      • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                      • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                      • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                      • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                      Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                      Download Yara Rule
                                      APIs
                                      • memcpy.MSVCRT ref: 004134E0
                                      • memcpy.MSVCRT ref: 004134F2
                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                      • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcpy$DialogHandleModuleParam
                                      • String ID:
                                      • API String ID: 1386444988-0
                                      • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                      • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                      • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                      • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                      Function 00411D08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                                      • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: InvalidateMessageRectSend
                                      • String ID: d=E
                                      • API String ID: 909852535-3703654223
                                      • Opcode ID: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                      • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                                      • Opcode Fuzzy Hash: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                      • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                                      Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                      Download Yara Rule
                                      APIs
                                      • wcschr.MSVCRT ref: 0040F79E
                                      • wcschr.MSVCRT ref: 0040F7AC
                                        • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                        • Part of subcall function 0040AA8C: memcpy.MSVCRT ref: 0040AACB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: wcschr$memcpywcslen
                                      • String ID: "
                                      • API String ID: 1983396471-123907689
                                      • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                      • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                      • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                      • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                      Function 0040BFF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                      • _memicmp.MSVCRT ref: 0040C00D
                                      • memcpy.MSVCRT ref: 0040C024
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: FilePointer_memicmpmemcpy
                                      • String ID: URL
                                      • API String ID: 2108176848-3574463123
                                      • Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                      • Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
                                      • Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                      • Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9
                                      Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _snwprintfmemcpy
                                      • String ID: %2.2X
                                      • API String ID: 2789212964-323797159
                                      • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                      • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                      • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                      • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                      Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _snwprintf
                                      • String ID: %%-%d.%ds
                                      • API String ID: 3988819677-2008345750
                                      • Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                      • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                      • Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                      • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                      Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040E770
                                      • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: MessageSendmemset
                                      • String ID: F^@
                                      • API String ID: 568519121-3652327722
                                      • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                      • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                      • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                      • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                      Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: PlacementWindowmemset
                                      • String ID: WinPos
                                      • API String ID: 4036792311-2823255486
                                      • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                      • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                      • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                      • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                      Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                      • wcsrchr.MSVCRT ref: 0040DCE9
                                      • wcscat.MSVCRT ref: 0040DCFF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: FileModuleNamewcscatwcsrchr
                                      • String ID: _lng.ini
                                      • API String ID: 383090722-1948609170
                                      • Opcode ID: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                      • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                                      • Opcode Fuzzy Hash: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                      • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                                      Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                      • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                                      • String ID: SHGetSpecialFolderPathW$shell32.dll
                                      • API String ID: 2773794195-880857682
                                      • Opcode ID: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                      • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                                      • Opcode Fuzzy Hash: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                      • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                                      Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcpy$memset
                                      • String ID:
                                      • API String ID: 438689982-0
                                      • Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                      • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                      • Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                      • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                      Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ??2@$memset
                                      • String ID:
                                      • API String ID: 1860491036-0
                                      • Opcode ID: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                      • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                      • Opcode Fuzzy Hash: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                      • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                      Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                                      Download Yara Rule
                                      APIs
                                      • memcmp.MSVCRT ref: 00408AF3
                                        • Part of subcall function 00408A6E: memcmp.MSVCRT ref: 00408A8C
                                        • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408ABB
                                        • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408AD0
                                      • memcmp.MSVCRT ref: 00408B2B
                                      • memcmp.MSVCRT ref: 00408B5C
                                      • memcpy.MSVCRT ref: 00408B79
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcmp$memcpy
                                      • String ID:
                                      • API String ID: 231171946-0
                                      • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                      • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                      • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                      • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                      Function 00409D1F Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.1287585221.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: wcslen$wcscat$wcscpy
                                      • String ID:
                                      • API String ID: 1961120804-0
                                      • Opcode ID: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                      • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                                      • Opcode Fuzzy Hash: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                      • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E

                                      Execution Graph

                                      Execution Coverage:2.4%
                                      Dynamic/Decrypted Code Coverage:20.2%
                                      Signature Coverage:0.5%
                                      Total number of Nodes:856
                                      Total number of Limit Nodes:19
                                      execution_graph 34118 40fc40 70 API calls 34291 403640 21 API calls 34119 427fa4 42 API calls 34292 412e43 _endthreadex 34293 425115 76 API calls __fprintf_l 34294 43fe40 133 API calls 34122 425115 83 API calls __fprintf_l 34123 401445 memcpy memcpy DialogBoxParamA 34124 440c40 34 API calls 33239 444c4a 33258 444e38 33239->33258 33241 444c56 GetModuleHandleA 33242 444c68 __set_app_type __p__fmode __p__commode 33241->33242 33244 444cfa 33242->33244 33245 444d02 __setusermatherr 33244->33245 33246 444d0e 33244->33246 33245->33246 33259 444e22 _controlfp 33246->33259 33248 444d13 _initterm __getmainargs _initterm 33249 444d6a GetStartupInfoA 33248->33249 33251 444d9e GetModuleHandleA 33249->33251 33260 40cf44 33251->33260 33255 444dcf _cexit 33257 444e04 33255->33257 33256 444dc8 exit 33256->33255 33258->33241 33259->33248 33311 404a99 LoadLibraryA 33260->33311 33262 40cf60 33299 40cf64 33262->33299 33319 410d0e 33262->33319 33264 40cf6f 33323 40ccd7 ??2@YAPAXI 33264->33323 33266 40cf9b 33337 407cbc 33266->33337 33271 40cfc4 33355 409825 memset 33271->33355 33272 40cfd8 33360 4096f4 memset 33272->33360 33277 40d181 ??3@YAXPAX 33279 40d1b3 33277->33279 33280 40d19f DeleteObject 33277->33280 33278 407e30 _strcmpi 33281 40cfee 33278->33281 33384 407948 ??3@YAXPAX ??3@YAXPAX 33279->33384 33280->33279 33283 40cff2 RegDeleteKeyA 33281->33283 33284 40d007 EnumResourceTypesA 33281->33284 33283->33277 33286 40d047 33284->33286 33287 40d02f MessageBoxA 33284->33287 33285 40d1c4 33385 4080d4 ??3@YAXPAX 33285->33385 33289 40d0a0 CoInitialize 33286->33289 33365 40ce70 33286->33365 33287->33277 33382 40cc26 strncat memset RegisterClassA CreateWindowExA 33289->33382 33291 40d1cd 33386 407948 ??3@YAXPAX ??3@YAXPAX 33291->33386 33293 40d0b1 ShowWindow UpdateWindow LoadAcceleratorsA 33383 40c256 PostMessageA 33293->33383 33296 40d061 ??3@YAXPAX 33296->33279 33300 40d084 DeleteObject 33296->33300 33297 40d09e 33297->33289 33299->33255 33299->33256 33300->33279 33303 40d0f9 GetMessageA 33304 40d17b 33303->33304 33305 40d10d 33303->33305 33304->33277 33306 40d113 TranslateAccelerator 33305->33306 33308 40d145 IsDialogMessage 33305->33308 33309 40d139 IsDialogMessage 33305->33309 33306->33305 33307 40d16d GetMessageA 33306->33307 33307->33304 33307->33306 33308->33307 33310 40d157 TranslateMessage DispatchMessageA 33308->33310 33309->33307 33309->33308 33310->33307 33312 404ac4 GetProcAddress 33311->33312 33313 404aec 33311->33313 33314 404ad4 33312->33314 33315 404add FreeLibrary 33312->33315 33317 404b13 33313->33317 33318 404afc MessageBoxA 33313->33318 33314->33315 33315->33313 33316 404ae8 33315->33316 33316->33313 33317->33262 33318->33262 33320 410d17 LoadLibraryA 33319->33320 33321 410d3c 33319->33321 33320->33321 33322 410d2b GetProcAddress 33320->33322 33321->33264 33322->33321 33324 40cd08 ??2@YAPAXI 33323->33324 33326 40cd26 33324->33326 33327 40cd2d 33324->33327 33394 404025 6 API calls 33326->33394 33329 40cd66 33327->33329 33330 40cd59 DeleteObject 33327->33330 33387 407088 33329->33387 33330->33329 33332 40cd6b 33390 4019b5 33332->33390 33335 4019b5 strncat 33336 40cdbf _mbscpy 33335->33336 33336->33266 33396 407948 ??3@YAXPAX ??3@YAXPAX 33337->33396 33339 407e04 33397 407a55 33339->33397 33342 407a1f malloc memcpy ??3@YAXPAX ??3@YAXPAX 33349 407cf7 33342->33349 33343 407ddc 33343->33339 33409 407a1f 33343->33409 33345 407d7a ??3@YAXPAX 33345->33349 33349->33339 33349->33342 33349->33343 33349->33345 33400 40796e 7 API calls 33349->33400 33401 406f30 33349->33401 33351 407e30 33352 407e57 33351->33352 33353 407e38 33351->33353 33352->33271 33352->33272 33353->33352 33354 407e41 _strcmpi 33353->33354 33354->33352 33354->33353 33415 4097ff 33355->33415 33357 409854 33420 409731 33357->33420 33361 4097ff 3 API calls 33360->33361 33362 409723 33361->33362 33440 40966c 33362->33440 33454 4023b2 33365->33454 33371 40ced3 33543 40cdda 7 API calls 33371->33543 33372 40cece 33375 40cf3f 33372->33375 33495 40c3d0 memset GetModuleFileNameA strrchr 33372->33495 33375->33296 33375->33297 33378 40ceed 33522 40affa 33378->33522 33382->33293 33383->33303 33384->33285 33385->33291 33386->33299 33395 406fc7 memset _mbscpy 33387->33395 33389 40709f CreateFontIndirectA 33389->33332 33391 4019e1 33390->33391 33392 4019c2 strncat 33391->33392 33393 4019e5 memset LoadIconA 33391->33393 33392->33391 33393->33335 33394->33327 33395->33389 33396->33349 33398 407a65 33397->33398 33399 407a5b ??3@YAXPAX 33397->33399 33398->33351 33399->33398 33400->33349 33402 406f37 malloc 33401->33402 33403 406f7d 33401->33403 33405 406f73 33402->33405 33406 406f58 33402->33406 33403->33349 33405->33349 33407 406f6c ??3@YAXPAX 33406->33407 33408 406f5c memcpy 33406->33408 33407->33405 33408->33407 33410 407a38 33409->33410 33411 407a2d ??3@YAXPAX 33409->33411 33413 406f30 3 API calls 33410->33413 33412 407a43 33411->33412 33414 40796e 7 API calls 33412->33414 33413->33412 33414->33339 33431 406f96 GetModuleFileNameA 33415->33431 33417 409805 strrchr 33418 409814 33417->33418 33419 409817 _mbscat 33417->33419 33418->33419 33419->33357 33432 44b090 33420->33432 33425 40930c 3 API calls 33426 409779 EnumResourceNamesA EnumResourceNamesA _mbscpy memset 33425->33426 33427 4097c5 LoadStringA 33426->33427 33430 4097db 33427->33430 33429 4097f3 33429->33277 33430->33427 33430->33429 33439 40937a memset GetPrivateProfileStringA WritePrivateProfileStringA _itoa 33430->33439 33431->33417 33433 40973e _mbscpy _mbscpy 33432->33433 33434 40930c 33433->33434 33435 44b090 33434->33435 33436 409319 memset GetPrivateProfileStringA 33435->33436 33437 409374 33436->33437 33438 409364 WritePrivateProfileStringA 33436->33438 33437->33425 33438->33437 33439->33430 33450 406f81 GetFileAttributesA 33440->33450 33442 409675 33443 4096ee 33442->33443 33444 40967a _mbscpy _mbscpy GetPrivateProfileIntA 33442->33444 33443->33278 33451 409278 GetPrivateProfileStringA 33444->33451 33446 4096c9 33452 409278 GetPrivateProfileStringA 33446->33452 33448 4096da 33453 409278 GetPrivateProfileStringA 33448->33453 33450->33442 33451->33446 33452->33448 33453->33443 33545 409c1c 33454->33545 33457 401e69 memset 33584 410dbb 33457->33584 33460 401ec2 33614 4070e3 strlen _mbscat _mbscpy _mbscat 33460->33614 33461 401ed4 33599 406f81 GetFileAttributesA 33461->33599 33464 401ee6 strlen strlen 33466 401f15 33464->33466 33468 401f28 33464->33468 33615 4070e3 strlen _mbscat _mbscpy _mbscat 33466->33615 33600 406f81 GetFileAttributesA 33468->33600 33470 401f35 33601 401c31 33470->33601 33473 401f75 33613 410a9c RegOpenKeyExA 33473->33613 33475 401c31 7 API calls 33475->33473 33476 401f91 33477 402187 33476->33477 33478 401f9c memset 33476->33478 33480 402195 ExpandEnvironmentStringsA 33477->33480 33481 4021a8 _strcmpi 33477->33481 33616 410b62 RegEnumKeyExA 33478->33616 33625 406f81 GetFileAttributesA 33480->33625 33481->33371 33481->33372 33483 40217e RegCloseKey 33483->33477 33484 401fd9 atoi 33485 401fef memset memset sprintf 33484->33485 33493 401fc9 33484->33493 33617 410b1e 33485->33617 33488 402165 33488->33483 33489 406f81 GetFileAttributesA 33489->33493 33490 402076 memset memset strlen strlen 33490->33493 33491 4070e3 strlen _mbscat _mbscpy _mbscat 33491->33493 33492 4020dd strlen strlen 33492->33493 33493->33483 33493->33484 33493->33488 33493->33489 33493->33490 33493->33491 33493->33492 33494 402167 _mbscpy 33493->33494 33624 410b62 RegEnumKeyExA 33493->33624 33494->33483 33496 40c422 33495->33496 33497 40c425 _mbscat _mbscpy _mbscpy 33495->33497 33496->33497 33498 40c49d 33497->33498 33499 40c512 33498->33499 33500 40c502 GetWindowPlacement 33498->33500 33501 40c538 33499->33501 33646 4017d2 GetSystemMetrics GetSystemMetrics SetWindowPos 33499->33646 33500->33499 33639 409b31 33501->33639 33505 40ba28 33506 40ba87 33505->33506 33512 40ba3c 33505->33512 33649 406c62 LoadCursorA SetCursor 33506->33649 33508 40ba43 _mbsicmp 33508->33512 33509 40ba8c 33650 410a9c RegOpenKeyExA 33509->33650 33651 404734 33509->33651 33659 4107f1 33509->33659 33662 404785 33509->33662 33665 403c16 33509->33665 33510 40baa0 33511 407e30 _strcmpi 33510->33511 33515 40bab0 33511->33515 33512->33506 33512->33508 33741 40b5e5 10 API calls 33512->33741 33513 40bafa SetCursor 33513->33378 33515->33513 33516 40baf1 qsort 33515->33516 33516->33513 34102 409ded SendMessageA ??2@YAPAXI ??3@YAXPAX 33522->34102 33524 40b00e 33525 40b016 33524->33525 33526 40b01f GetStdHandle 33524->33526 34103 406d1a CreateFileA 33525->34103 33528 40b01c 33526->33528 33529 40b035 33528->33529 33530 40b12d 33528->33530 34104 406c62 LoadCursorA SetCursor 33529->34104 34108 406d77 9 API calls 33530->34108 33533 40b136 33544 40c580 28 API calls 33533->33544 33534 40b042 33536 40b087 33534->33536 33541 40b0a1 33534->33541 34105 40a57c strlen WriteFile 33534->34105 33536->33541 34106 40a699 12 API calls 33536->34106 33538 40b0d6 33539 40b116 CloseHandle 33538->33539 33540 40b11f SetCursor 33538->33540 33539->33540 33540->33533 33541->33538 34107 406d77 9 API calls 33541->34107 33543->33372 33544->33375 33557 409a32 33545->33557 33548 409c80 memcpy memcpy 33549 409cda 33548->33549 33549->33548 33550 409d18 ??2@YAPAXI ??2@YAPAXI 33549->33550 33554 408db6 12 API calls 33549->33554 33551 409d54 ??2@YAPAXI 33550->33551 33553 409d8b 33550->33553 33551->33553 33567 409b9c 33553->33567 33554->33549 33556 4023c1 33556->33457 33558 409a44 33557->33558 33559 409a3d ??3@YAXPAX 33557->33559 33560 409a52 33558->33560 33561 409a4b ??3@YAXPAX 33558->33561 33559->33558 33562 409a63 33560->33562 33563 409a5c ??3@YAXPAX 33560->33563 33561->33560 33564 409a83 ??2@YAPAXI ??2@YAPAXI 33562->33564 33565 409a73 ??3@YAXPAX 33562->33565 33566 409a7c ??3@YAXPAX 33562->33566 33563->33562 33564->33548 33565->33566 33566->33564 33568 407a55 ??3@YAXPAX 33567->33568 33569 409ba5 33568->33569 33570 407a55 ??3@YAXPAX 33569->33570 33571 409bad 33570->33571 33572 407a55 ??3@YAXPAX 33571->33572 33573 409bb5 33572->33573 33574 407a55 ??3@YAXPAX 33573->33574 33575 409bbd 33574->33575 33576 407a1f 4 API calls 33575->33576 33577 409bd0 33576->33577 33578 407a1f 4 API calls 33577->33578 33579 409bda 33578->33579 33580 407a1f 4 API calls 33579->33580 33581 409be4 33580->33581 33582 407a1f 4 API calls 33581->33582 33583 409bee 33582->33583 33583->33556 33585 410d0e 2 API calls 33584->33585 33586 410dca 33585->33586 33587 410dfd memset 33586->33587 33626 4070ae 33586->33626 33588 410e1d 33587->33588 33629 410a9c RegOpenKeyExA 33588->33629 33591 401e9e strlen strlen 33591->33460 33591->33461 33593 410e4a 33594 410e7f _mbscpy 33593->33594 33630 410d3d _mbscpy 33593->33630 33594->33591 33596 410e5b 33631 410add RegQueryValueExA 33596->33631 33598 410e73 RegCloseKey 33598->33594 33599->33464 33600->33470 33632 410a9c RegOpenKeyExA 33601->33632 33603 401c4c 33604 401cad 33603->33604 33633 410add RegQueryValueExA 33603->33633 33604->33473 33604->33475 33606 401c6a 33607 401c71 strchr 33606->33607 33608 401ca4 RegCloseKey 33606->33608 33607->33608 33609 401c85 strchr 33607->33609 33608->33604 33609->33608 33610 401c94 33609->33610 33634 406f06 strlen 33610->33634 33612 401ca1 33612->33608 33613->33476 33614->33461 33615->33468 33616->33493 33637 410a9c RegOpenKeyExA 33617->33637 33619 410b34 33620 410b5d 33619->33620 33638 410add RegQueryValueExA 33619->33638 33620->33493 33622 410b4c RegCloseKey 33622->33620 33624->33493 33625->33481 33627 4070bd GetVersionExA 33626->33627 33628 4070ce 33626->33628 33627->33628 33628->33587 33628->33591 33629->33593 33630->33596 33631->33598 33632->33603 33633->33606 33635 406f17 33634->33635 33636 406f1a memcpy 33634->33636 33635->33636 33636->33612 33637->33619 33638->33622 33640 409b40 33639->33640 33642 409b4e 33639->33642 33647 409901 memset SendMessageA 33640->33647 33643 409b99 33642->33643 33644 409b8b 33642->33644 33643->33505 33648 409868 SendMessageA 33644->33648 33646->33501 33647->33642 33648->33643 33649->33509 33650->33510 33652 404785 FreeLibrary 33651->33652 33653 40473b LoadLibraryA 33652->33653 33654 40474c GetProcAddress 33653->33654 33657 40476e 33653->33657 33655 404764 33654->33655 33654->33657 33655->33657 33656 404781 33656->33510 33657->33656 33658 404785 FreeLibrary 33657->33658 33658->33656 33660 410807 33659->33660 33661 4107fc FreeLibrary 33659->33661 33660->33510 33661->33660 33663 4047a3 33662->33663 33664 404799 FreeLibrary 33662->33664 33663->33510 33664->33663 33666 4107f1 FreeLibrary 33665->33666 33667 403c30 LoadLibraryA 33666->33667 33668 403c74 33667->33668 33669 403c44 GetProcAddress 33667->33669 33670 4107f1 FreeLibrary 33668->33670 33669->33668 33671 403c5e 33669->33671 33672 403c7b 33670->33672 33671->33668 33674 403c6b 33671->33674 33673 404734 3 API calls 33672->33673 33675 403c86 33673->33675 33674->33672 33742 4036e5 33675->33742 33678 4036e5 26 API calls 33679 403c9a 33678->33679 33680 4036e5 26 API calls 33679->33680 33681 403ca4 33680->33681 33682 4036e5 26 API calls 33681->33682 33683 403cae 33682->33683 33754 4085d2 33683->33754 33691 403ce5 33692 403cf7 33691->33692 33935 402bd1 39 API calls 33691->33935 33800 410a9c RegOpenKeyExA 33692->33800 33695 403d0a 33696 403d1c 33695->33696 33936 402bd1 39 API calls 33695->33936 33801 402c5d 33696->33801 33700 4070ae GetVersionExA 33701 403d31 33700->33701 33819 410a9c RegOpenKeyExA 33701->33819 33703 403d51 33704 403d61 33703->33704 33937 402b22 46 API calls 33703->33937 33820 410a9c RegOpenKeyExA 33704->33820 33707 403d87 33708 403d97 33707->33708 33938 402b22 46 API calls 33707->33938 33821 410a9c RegOpenKeyExA 33708->33821 33711 403dbd 33712 403dcd 33711->33712 33939 402b22 46 API calls 33711->33939 33822 410808 33712->33822 33716 404785 FreeLibrary 33717 403de8 33716->33717 33826 402fdb 33717->33826 33720 402fdb 34 API calls 33721 403e00 33720->33721 33842 4032b7 33721->33842 33730 403e3b 33732 403e73 33730->33732 33733 403e46 _mbscpy 33730->33733 33889 40fb00 33732->33889 33941 40f334 334 API calls 33733->33941 33741->33512 33743 4037c5 33742->33743 33744 4036fb 33742->33744 33743->33678 33942 410863 UuidFromStringA UuidFromStringA memcpy 33744->33942 33746 40370e 33746->33743 33747 403716 strchr 33746->33747 33747->33743 33748 403730 33747->33748 33943 4021b6 memset 33748->33943 33750 40373f _mbscpy _mbscpy strlen 33751 4037a4 _mbscpy 33750->33751 33752 403789 sprintf 33750->33752 33944 4023e5 16 API calls 33751->33944 33752->33751 33755 4085e2 33754->33755 33945 4082cd 11 API calls 33755->33945 33759 408600 33760 403cba 33759->33760 33761 40860b memset 33759->33761 33772 40821d 33760->33772 33948 410b62 RegEnumKeyExA 33761->33948 33763 4086d2 RegCloseKey 33763->33760 33765 408637 33765->33763 33766 40865c memset 33765->33766 33949 410a9c RegOpenKeyExA 33765->33949 33952 410b62 RegEnumKeyExA 33765->33952 33950 410add RegQueryValueExA 33766->33950 33769 408694 33951 40848b 10 API calls 33769->33951 33771 4086ab RegCloseKey 33771->33765 33953 410a9c RegOpenKeyExA 33772->33953 33774 40823f 33775 403cc6 33774->33775 33776 408246 memset 33774->33776 33784 4086e0 33775->33784 33954 410b62 RegEnumKeyExA 33776->33954 33778 4082bf RegCloseKey 33778->33775 33780 40826f 33780->33778 33955 410a9c RegOpenKeyExA 33780->33955 33956 4080ed 11 API calls 33780->33956 33957 410b62 RegEnumKeyExA 33780->33957 33783 4082a2 RegCloseKey 33783->33780 33958 4045db 33784->33958 33786 4088ef 33966 404656 33786->33966 33790 408737 wcslen 33790->33786 33796 40876a 33790->33796 33791 40877a _wcsncoll 33791->33796 33793 404734 3 API calls 33793->33796 33794 404785 FreeLibrary 33794->33796 33795 408812 memset 33795->33796 33797 40883c memcpy wcschr 33795->33797 33796->33786 33796->33791 33796->33793 33796->33794 33796->33795 33796->33797 33798 4088c3 LocalFree 33796->33798 33969 40466b _mbscpy 33796->33969 33797->33796 33798->33796 33799 410a9c RegOpenKeyExA 33799->33691 33800->33695 33970 410a9c RegOpenKeyExA 33801->33970 33803 402c7a 33804 402da5 33803->33804 33805 402c87 memset 33803->33805 33804->33700 33971 410b62 RegEnumKeyExA 33805->33971 33807 402d9c RegCloseKey 33807->33804 33808 402cb2 33808->33807 33809 410b1e 3 API calls 33808->33809 33818 402d9a 33808->33818 33975 402bd1 39 API calls 33808->33975 33976 410b62 RegEnumKeyExA 33808->33976 33810 402ce4 memset sprintf 33809->33810 33972 410a9c RegOpenKeyExA 33810->33972 33812 402d28 33813 402d3a sprintf 33812->33813 33973 402bd1 39 API calls 33812->33973 33974 410a9c RegOpenKeyExA 33813->33974 33818->33807 33819->33703 33820->33707 33821->33711 33823 410816 33822->33823 33824 4107f1 FreeLibrary 33823->33824 33825 403ddd 33824->33825 33825->33716 33977 410a9c RegOpenKeyExA 33826->33977 33828 402ff9 33829 403006 memset 33828->33829 33830 40312c 33828->33830 33978 410b62 RegEnumKeyExA 33829->33978 33830->33720 33832 403122 RegCloseKey 33832->33830 33833 410b1e 3 API calls 33834 403058 memset sprintf 33833->33834 33979 410a9c RegOpenKeyExA 33834->33979 33836 4030a2 memset 33980 410b62 RegEnumKeyExA 33836->33980 33837 410b62 RegEnumKeyExA 33841 403033 33837->33841 33839 4030f9 RegCloseKey 33839->33841 33841->33832 33841->33833 33841->33836 33841->33837 33841->33839 33981 402db3 26 API calls 33841->33981 33843 4032d5 33842->33843 33844 4033a9 33842->33844 33982 4021b6 memset 33843->33982 33857 4034e4 memset memset 33844->33857 33846 4032e1 33983 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33846->33983 33848 4032ea 33849 4032f8 memset GetPrivateProfileSectionA 33848->33849 33984 4023e5 16 API calls 33848->33984 33849->33844 33854 40332f 33849->33854 33851 40339b strlen 33851->33844 33851->33854 33853 403350 strchr 33853->33854 33854->33844 33854->33851 33985 4021b6 memset 33854->33985 33986 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33854->33986 33987 4023e5 16 API calls 33854->33987 33858 410b1e 3 API calls 33857->33858 33859 40353f 33858->33859 33860 40357f 33859->33860 33861 403546 _mbscpy 33859->33861 33865 403985 33860->33865 33988 406d55 strlen _mbscat 33861->33988 33863 403565 _mbscat 33989 4033f0 19 API calls 33863->33989 33990 40466b _mbscpy 33865->33990 33869 4039aa 33871 4039ff 33869->33871 33991 40f460 memset memset 33869->33991 34012 40f6e2 33869->34012 34028 4038e8 21 API calls 33869->34028 33872 404785 FreeLibrary 33871->33872 33873 403a0b 33872->33873 33874 4037ca memset memset 33873->33874 34036 444551 memset 33874->34036 33876 4038e2 33876->33730 33940 40f334 334 API calls 33876->33940 33879 40382e 33880 406f06 2 API calls 33879->33880 33881 403843 33880->33881 33882 406f06 2 API calls 33881->33882 33883 403855 strchr 33882->33883 33884 403884 _mbscpy 33883->33884 33885 403897 strlen 33883->33885 33886 4038bf _mbscpy 33884->33886 33885->33886 33887 4038a4 sprintf 33885->33887 34048 4023e5 16 API calls 33886->34048 33887->33886 33890 44b090 33889->33890 33891 40fb10 RegOpenKeyExA 33890->33891 33892 403e7f 33891->33892 33893 40fb3b RegOpenKeyExA 33891->33893 33903 40f96c 33892->33903 33894 40fb55 RegQueryValueExA 33893->33894 33895 40fc2d RegCloseKey 33893->33895 33896 40fc23 RegCloseKey 33894->33896 33897 40fb84 33894->33897 33895->33892 33896->33895 33898 404734 3 API calls 33897->33898 33899 40fb91 33898->33899 33899->33896 33900 40fc19 LocalFree 33899->33900 33901 40fbdd memcpy memcpy 33899->33901 33900->33896 34053 40f802 11 API calls 33901->34053 33904 4070ae GetVersionExA 33903->33904 33905 40f98d 33904->33905 33906 4045db 7 API calls 33905->33906 33914 40f9a9 33906->33914 33907 40fae6 33908 404656 FreeLibrary 33907->33908 33909 403e85 33908->33909 33915 4442ea memset 33909->33915 33910 40fa13 memset WideCharToMultiByte 33911 40fa43 _strnicmp 33910->33911 33910->33914 33912 40fa5b WideCharToMultiByte 33911->33912 33911->33914 33913 40fa88 WideCharToMultiByte 33912->33913 33912->33914 33913->33914 33914->33907 33914->33910 33916 410dbb 9 API calls 33915->33916 33917 444329 33916->33917 34054 40759e strlen strlen 33917->34054 33922 410dbb 9 API calls 33923 444350 33922->33923 33924 40759e 3 API calls 33923->33924 33925 44435a 33924->33925 33926 444212 65 API calls 33925->33926 33927 444366 memset memset 33926->33927 33928 410b1e 3 API calls 33927->33928 33929 4443b9 ExpandEnvironmentStringsA strlen 33928->33929 33930 4443f4 _strcmpi 33929->33930 33931 4443e5 33929->33931 33932 403e91 33930->33932 33933 44440c 33930->33933 33931->33930 33932->33510 33934 444212 65 API calls 33933->33934 33934->33932 33935->33692 33936->33696 33937->33704 33938->33708 33939->33712 33940->33730 33941->33732 33942->33746 33943->33750 33944->33743 33946 40841c 33945->33946 33947 410a9c RegOpenKeyExA 33946->33947 33947->33759 33948->33765 33949->33765 33950->33769 33951->33771 33952->33765 33953->33774 33954->33780 33955->33780 33956->33783 33957->33780 33959 404656 FreeLibrary 33958->33959 33960 4045e3 LoadLibraryA 33959->33960 33961 404651 33960->33961 33962 4045f4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 33960->33962 33961->33786 33961->33790 33963 40463d 33962->33963 33964 404643 33963->33964 33965 404656 FreeLibrary 33963->33965 33964->33961 33965->33961 33967 403cd2 33966->33967 33968 40465c FreeLibrary 33966->33968 33967->33799 33968->33967 33969->33796 33970->33803 33971->33808 33972->33812 33973->33813 33974->33808 33975->33808 33976->33808 33977->33828 33978->33841 33979->33841 33980->33841 33981->33841 33982->33846 33983->33848 33984->33849 33985->33853 33986->33854 33987->33854 33988->33863 33989->33860 33990->33869 34029 4078ba 33991->34029 33994 4078ba _mbsnbcat 33995 40f5a3 RegOpenKeyExA 33994->33995 33996 40f5c3 RegQueryValueExA 33995->33996 33997 40f6d9 33995->33997 33998 40f6d0 RegCloseKey 33996->33998 33999 40f5f0 33996->33999 33997->33869 33998->33997 33999->33998 34000 40f675 33999->34000 34033 40466b _mbscpy 33999->34033 34000->33998 34034 4012ee strlen 34000->34034 34002 40f611 34004 404734 3 API calls 34002->34004 34009 40f616 34004->34009 34005 40f69e RegQueryValueExA 34005->33998 34006 40f6c1 34005->34006 34006->33998 34007 40f66a 34008 404785 FreeLibrary 34007->34008 34008->34000 34009->34007 34010 40f661 LocalFree 34009->34010 34011 40f645 memcpy 34009->34011 34010->34007 34011->34010 34035 40466b _mbscpy 34012->34035 34014 40f6fa 34015 4045db 7 API calls 34014->34015 34016 40f708 34015->34016 34017 404734 3 API calls 34016->34017 34022 40f7e2 34016->34022 34023 40f715 34017->34023 34018 404656 FreeLibrary 34019 40f7f1 34018->34019 34020 404785 FreeLibrary 34019->34020 34021 40f7fc 34020->34021 34021->33869 34022->34018 34023->34022 34024 40f797 WideCharToMultiByte 34023->34024 34025 40f7b8 strlen 34024->34025 34026 40f7d9 LocalFree 34024->34026 34025->34026 34027 40f7c8 _mbscpy 34025->34027 34026->34022 34027->34026 34028->33869 34030 4078e6 34029->34030 34031 4078c7 _mbsnbcat 34030->34031 34032 4078ea 34030->34032 34031->34030 34032->33994 34033->34002 34034->34005 34035->34014 34049 410a9c RegOpenKeyExA 34036->34049 34038 40381a 34038->33876 34047 4021b6 memset 34038->34047 34039 44458b 34039->34038 34050 410add RegQueryValueExA 34039->34050 34041 4445a4 34042 4445dc RegCloseKey 34041->34042 34051 410add RegQueryValueExA 34041->34051 34042->34038 34044 4445c1 34044->34042 34052 444879 30 API calls 34044->34052 34046 4445da 34046->34042 34047->33879 34048->33876 34049->34039 34050->34041 34051->34044 34052->34046 34053->33900 34055 4075c9 34054->34055 34056 4075bb _mbscat 34054->34056 34057 444212 34055->34057 34056->34055 34074 407e9d 34057->34074 34060 44424d 34061 444274 34060->34061 34062 444258 34060->34062 34082 407ef8 34060->34082 34063 407e9d 9 API calls 34061->34063 34099 444196 52 API calls 34062->34099 34070 4442a0 34063->34070 34065 407ef8 9 API calls 34065->34070 34066 4442ce 34096 407f90 34066->34096 34070->34065 34070->34066 34072 444212 65 API calls 34070->34072 34092 407e62 34070->34092 34071 407f90 FindClose 34073 4442e4 34071->34073 34072->34070 34073->33922 34075 407f90 FindClose 34074->34075 34076 407eaa 34075->34076 34077 406f06 2 API calls 34076->34077 34078 407ebd strlen strlen 34077->34078 34079 407ee1 34078->34079 34080 407eea 34078->34080 34100 4070e3 strlen _mbscat _mbscpy _mbscat 34079->34100 34080->34060 34083 407f03 FindFirstFileA 34082->34083 34084 407f24 FindNextFileA 34082->34084 34085 407f3f 34083->34085 34086 407f46 strlen strlen 34084->34086 34087 407f3a 34084->34087 34085->34086 34089 407f7f 34085->34089 34086->34089 34090 407f76 34086->34090 34088 407f90 FindClose 34087->34088 34088->34085 34089->34060 34101 4070e3 strlen _mbscat _mbscpy _mbscat 34090->34101 34093 407e6c strcmp 34092->34093 34095 407e94 34092->34095 34094 407e83 strcmp 34093->34094 34093->34095 34094->34095 34095->34070 34097 407fa3 34096->34097 34098 407f99 FindClose 34096->34098 34097->34071 34098->34097 34099->34060 34100->34080 34101->34089 34102->33524 34103->33528 34104->33534 34105->33536 34106->33541 34107->33538 34108->33533 34126 411853 RtlInitializeCriticalSection memset 34127 401455 ExitProcess GetWindowLongA SetWindowLongA EnumChildWindows EnumChildWindows 34300 40a256 13 API calls 34302 432e5b 17 API calls 34304 43fa5a 20 API calls 34129 401060 41 API calls 34307 427260 CloseHandle memset memset 33197 410c68 FindResourceA 33198 410c81 SizeofResource 33197->33198 33200 410cae 33197->33200 33199 410c92 LoadResource 33198->33199 33198->33200 33199->33200 33201 410ca0 LockResource 33199->33201 33201->33200 34309 405e69 14 API calls 34134 433068 15 API calls __fprintf_l 34311 414a6d 18 API calls 34312 43fe6f 134 API calls 34136 424c6d 15 API calls __fprintf_l 34313 426741 19 API calls 34138 440c70 17 API calls 34139 443c71 44 API calls 34142 427c79 24 API calls 34316 416e7e memset __fprintf_l 34146 42800b 47 API calls 34147 425115 85 API calls __fprintf_l 34319 41960c 61 API calls 34148 43f40c 122 API calls __fprintf_l 34151 411814 InterlockedCompareExchange RtlDeleteCriticalSection 34152 43f81a 20 API calls 34154 414c20 memset memset 34155 410c22 memset _itoa WritePrivateProfileStringA GetPrivateProfileIntA 34323 414625 18 API calls 34324 404225 modf 34325 403a26 strlen WriteFile 34327 40422a 12 API calls 34331 427632 memset memset memcpy 34332 40ca30 59 API calls 34333 404235 26 API calls 34156 42ec34 61 API calls __fprintf_l 34157 425115 76 API calls __fprintf_l 34334 425115 77 API calls __fprintf_l 34336 44223a 38 API calls 34163 43183c 112 API calls 34337 44b2c5 _onexit __dllonexit 34342 42a6d2 memcpy __allrem 34165 405cda 65 API calls 34350 43fedc 138 API calls 34351 4116e1 16 API calls __fprintf_l 34168 4244e6 19 API calls 34170 42e8e8 127 API calls __fprintf_l 34171 4118ee RtlLeaveCriticalSection 34356 43f6ec 22 API calls 34173 425115 119 API calls __fprintf_l 33187 410cf3 EnumResourceNamesA 34359 4492f0 memcpy memcpy 34361 43fafa 18 API calls 34363 4342f9 15 API calls __fprintf_l 34174 4144fd 19 API calls 34365 4016fd NtdllDefWindowProc_A ??2@YAPAXI memset memcpy ??3@YAXPAX 34366 40b2fe LoadIconA LoadIconA SendMessageA SendMessageA SendMessageA 34369 443a84 _mbscpy 34371 43f681 17 API calls 34177 404487 22 API calls 34373 415e8c 16 API calls __fprintf_l 34181 411893 RtlDeleteCriticalSection __fprintf_l 34182 41a492 42 API calls 34377 403e96 34 API calls 34378 410e98 memset SHGetPathFromIDList SendMessageA 34184 426741 109 API calls __fprintf_l 34185 4344a2 18 API calls 34186 4094a2 10 API calls 34381 4116a6 15 API calls __fprintf_l 34382 43f6a4 17 API calls 34383 440aa3 20 API calls 34385 427430 45 API calls 34189 4090b0 7 API calls 34190 4148b0 15 API calls 34192 4118b4 RtlEnterCriticalSection 34193 4014b7 CreateWindowExA 34194 40c8b8 19 API calls 34196 4118bf RtlTryEnterCriticalSection 34390 42434a 18 API calls __fprintf_l 34392 405f53 12 API calls 34204 43f956 59 API calls 34206 40955a 17 API calls 34207 428561 36 API calls 34208 409164 7 API calls 34396 404366 19 API calls 34400 40176c ExitProcess 34403 410777 42 API calls 34213 40dd7b 51 API calls 34214 425d7c 16 API calls __fprintf_l 34405 43f6f0 25 API calls 34406 42db01 22 API calls 34215 412905 15 API calls __fprintf_l 34407 403b04 54 API calls 34408 405f04 SetDlgItemTextA GetDlgItemTextA 34409 44b301 ??3@YAXPAX 34412 4120ea 14 API calls 3 library calls 34413 40bb0a 8 API calls 34415 413f11 strcmp 34219 434110 17 API calls __fprintf_l 34222 425115 108 API calls __fprintf_l 34416 444b11 _onexit 34224 425115 76 API calls __fprintf_l 34227 429d19 10 API calls 34419 444b1f __dllonexit 34420 409f20 _strcmpi 34229 42b927 31 API calls 34423 433f26 19 API calls __fprintf_l 34424 44b323 FreeLibrary 34425 427f25 46 API calls 34426 43ff2b 17 API calls 34427 43fb30 19 API calls 34236 414d36 16 API calls 34238 40ad38 7 API calls 34429 433b38 16 API calls __fprintf_l 34109 44b33b 34110 44b344 ??3@YAXPAX 34109->34110 34111 44b34b 34109->34111 34110->34111 34112 44b354 ??3@YAXPAX 34111->34112 34113 44b35b 34111->34113 34112->34113 34114 44b364 ??3@YAXPAX 34113->34114 34115 44b36b 34113->34115 34114->34115 34116 44b374 ??3@YAXPAX 34115->34116 34117 44b37b 34115->34117 34116->34117 34242 426741 21 API calls 34243 40c5c3 125 API calls 34245 43fdc5 17 API calls 34430 4117c8 InterlockedCompareExchange RtlInitializeCriticalSection 34248 4161cb memcpy memcpy memcpy memcpy 33202 44b3cf 33203 44b3e6 33202->33203 33205 44b454 33202->33205 33203->33205 33209 44b40e 33203->33209 33206 44b405 33206->33205 33207 44b435 VirtualProtect 33206->33207 33207->33205 33208 44b444 VirtualProtect 33207->33208 33208->33205 33210 44b413 33209->33210 33212 44b454 33210->33212 33216 44b42b 33210->33216 33213 44b41c 33213->33212 33214 44b435 VirtualProtect 33213->33214 33214->33212 33215 44b444 VirtualProtect 33214->33215 33215->33212 33217 44b431 33216->33217 33218 44b435 VirtualProtect 33217->33218 33220 44b454 33217->33220 33219 44b444 VirtualProtect 33218->33219 33218->33220 33219->33220 34435 43ffc8 18 API calls 34249 4281cc 15 API calls __fprintf_l 34437 4383cc 110 API calls __fprintf_l 34250 4275d3 41 API calls 34438 4153d3 22 API calls __fprintf_l 34251 444dd7 _XcptFilter 34443 4013de 15 API calls 34445 425115 111 API calls __fprintf_l 34446 43f7db 18 API calls 34449 410be6 WritePrivateProfileStringA GetPrivateProfileStringA 34253 4335ee 16 API calls __fprintf_l 34451 429fef 11 API calls 34254 444deb _exit _c_exit 34452 40bbf0 138 API calls 34257 425115 79 API calls __fprintf_l 34456 437ffa 22 API calls 34261 4021ff 14 API calls 34262 43f5fc 149 API calls 34457 40e381 9 API calls 34264 405983 40 API calls 34265 42b186 27 API calls __fprintf_l 34266 427d86 76 API calls 34267 403585 20 API calls 34269 42e58e 18 API calls __fprintf_l 34272 425115 75 API calls __fprintf_l 34274 401592 8 API calls 33188 410b92 33191 410a6b 33188->33191 33190 410bb2 33192 410a77 33191->33192 33193 410a89 GetPrivateProfileIntA 33191->33193 33196 410983 memset _itoa WritePrivateProfileStringA 33192->33196 33193->33190 33195 410a84 33195->33190 33196->33195 34461 434395 16 API calls 34276 441d9c memcmp 34463 43f79b 119 API calls 34277 40c599 43 API calls 34464 426741 87 API calls 34281 4401a6 21 API calls 34283 426da6 memcpy memset memset memcpy 34284 4335a5 15 API calls 34286 4299ab memset memset memcpy memset memset 34287 40b1ab 8 API calls 34469 425115 76 API calls __fprintf_l 34473 4113b2 18 API calls 2 library calls 34477 40a3b8 memset sprintf SendMessageA 33221 410bbc 33224 4109cf 33221->33224 33225 4109dc 33224->33225 33226 410a23 memset GetPrivateProfileStringA 33225->33226 33227 4109ea memset 33225->33227 33232 407646 strlen 33226->33232 33237 4075cd sprintf memcpy 33227->33237 33230 410a0c WritePrivateProfileStringA 33231 410a65 33230->33231 33233 40765a 33232->33233 33235 40765c 33232->33235 33233->33231 33234 4076a3 33234->33231 33235->33234 33238 40737c strtoul 33235->33238 33237->33230 33238->33235 34289 40b5bf memset memset _mbsicmp

                                      Executed Functions

                                      Function 004082CD Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 145stringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 129 4082cd-40841a memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 130 408450-408453 129->130 131 40841c 129->131 133 408484-408488 130->133 134 408455-40845e 130->134 132 408422-40842b 131->132 135 408432-40844e 132->135 136 40842d-408431 132->136 137 408460-408464 134->137 138 408465-408482 134->138 135->130 135->132 136->135 137->138 138->133 138->134
                                      APIs
                                      • memset.MSVCRT ref: 0040832F
                                      • memset.MSVCRT ref: 00408343
                                      • memset.MSVCRT ref: 0040835F
                                      • memset.MSVCRT ref: 00408376
                                      • GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                      • GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                      • strlen.MSVCRT ref: 004083E9
                                      • strlen.MSVCRT ref: 004083F8
                                      • memcpy.MSVCRT ref: 0040840A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                      • String ID: 5$H$O$b$i$}$}
                                      • API String ID: 1832431107-3760989150
                                      • Opcode ID: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                                      • Instruction ID: 30108760c83c1dc53a9521f9e33a2a4701cfdd5ab922e7e2e5f0797d9ff7fddf
                                      • Opcode Fuzzy Hash: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                                      • Instruction Fuzzy Hash: BC51F67180029DAEDB11CFA4CC81BEEBBBCEF49314F0441AAE555E7182D7389B45CB65
                                      Function 00407EF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 432 407ef8-407f01 433 407f03-407f22 FindFirstFileA 432->433 434 407f24-407f38 FindNextFileA 432->434 435 407f3f-407f44 433->435 436 407f46-407f74 strlen * 2 434->436 437 407f3a call 407f90 434->437 435->436 439 407f89-407f8f 435->439 440 407f83 436->440 441 407f76-407f81 call 4070e3 436->441 437->435 443 407f86-407f88 440->443 441->443 443->439
                                      APIs
                                      • FindFirstFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F0E
                                      • FindNextFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F2C
                                      • strlen.MSVCRT ref: 00407F5C
                                      • strlen.MSVCRT ref: 00407F64
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: FileFindstrlen$FirstNext
                                      • String ID: ACD
                                      • API String ID: 379999529-620537770
                                      • Opcode ID: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                                      • Instruction ID: 71029bc486f6697817f6bb289966da7394398bd7116df025ae0cbd4ece6cffc9
                                      • Opcode Fuzzy Hash: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                                      • Instruction Fuzzy Hash: 581170769092029FD354DB34D884ADBB3D8DB45725F100A2FF459D21D1EB38B9408B5A
                                      Function 00401E69 Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261stringregistryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • memset.MSVCRT ref: 00401E8B
                                      • strlen.MSVCRT ref: 00401EA4
                                      • strlen.MSVCRT ref: 00401EB2
                                      • strlen.MSVCRT ref: 00401EF8
                                      • strlen.MSVCRT ref: 00401F06
                                      • memset.MSVCRT ref: 00401FB1
                                      • atoi.MSVCRT ref: 00401FE0
                                      • memset.MSVCRT ref: 00402003
                                      • sprintf.MSVCRT ref: 00402030
                                        • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                      • memset.MSVCRT ref: 00402086
                                      • memset.MSVCRT ref: 0040209B
                                      • strlen.MSVCRT ref: 004020A1
                                      • strlen.MSVCRT ref: 004020AF
                                      • strlen.MSVCRT ref: 004020E2
                                      • strlen.MSVCRT ref: 004020F0
                                      • memset.MSVCRT ref: 00402018
                                        • Part of subcall function 004070E3: _mbscpy.MSVCRT ref: 004070EB
                                        • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                      • _mbscpy.MSVCRT ref: 00402177
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00402181
                                      • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104), ref: 0040219C
                                        • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: strlen$memset$Close_mbscpy$AttributesEnvironmentExpandFileStrings_mbscatatoisprintf
                                      • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                                      • API String ID: 1846531875-4223776976
                                      • Opcode ID: 24cd1edf3e0e6a0f2a794eae778d20d0b8fcf68951756f89e235529ef22c09db
                                      • Instruction ID: 9c65708a615aa9161e76439fb3ec4404e3c7586a7422c94cf2faf2b42662f59f
                                      • Opcode Fuzzy Hash: 24cd1edf3e0e6a0f2a794eae778d20d0b8fcf68951756f89e235529ef22c09db
                                      • Instruction Fuzzy Hash: 2291193290515D6AEB21D6618C86FDE77AC9F58304F1400FBF508F2182EB78EB858B6D
                                      Function 0040CF44 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 169COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 00404A99: LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                                        • Part of subcall function 00404A99: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                        • Part of subcall function 00404A99: FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                                        • Part of subcall function 00404A99: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040D190
                                      • DeleteObject.GDI32(?), ref: 0040D1A6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                                      • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
                                      • API String ID: 745651260-375988210
                                      • Opcode ID: 01abe85119e862d03ebbcbf30b96c63784c41f31500a9bb9b68e18ec68e211b7
                                      • Instruction ID: dea5423bbc6b84474d5379bd8edfb36e55d4f41410ab6b686afcfd17116e90de
                                      • Opcode Fuzzy Hash: 01abe85119e862d03ebbcbf30b96c63784c41f31500a9bb9b68e18ec68e211b7
                                      • Instruction Fuzzy Hash: 0A61AF71908345EBD7609FA1EC89A9FB7E8FF85704F00093FF544A21A1DB789805CB5A
                                      Function 00403C16 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 184libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 004107F1: FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                                      • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C35
                                      • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C4A
                                      • _mbscpy.MSVCRT ref: 00403E54
                                      Strings
                                      • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C90
                                      • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403DA4
                                      • pstorec.dll, xrefs: 00403C30
                                      • www.google.com/Please log in to your Google Account, xrefs: 00403C9A
                                      • www.google.com/Please log in to your Gmail account, xrefs: 00403C86
                                      • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D3B
                                      • PStoreCreateInstance, xrefs: 00403C44
                                      • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CFB
                                      • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CD6
                                      • www.google.com:443/Please log in to your Google Account, xrefs: 00403CA4
                                      • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D42
                                      • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D6E
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Library$AddressFreeLoadProc_mbscpy
                                      • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                                      • API String ID: 1197458902-317895162
                                      • Opcode ID: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                                      • Instruction ID: f12475a9e901df39a06d2b9041e3ab5decda6d4897279b708da5bb949cd86342
                                      • Opcode Fuzzy Hash: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                                      • Instruction Fuzzy Hash: 7C51C971600201B6E714EF71CD86FDAB66CAF01709F14013FF915B61C2DBBDA658C699
                                      Function 00444C4A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 128COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 231 444c4a-444c66 call 444e38 GetModuleHandleA 234 444c87-444c8a 231->234 235 444c68-444c73 231->235 236 444cb3-444d00 __set_app_type __p__fmode __p__commode call 444e34 234->236 235->234 237 444c75-444c7e 235->237 246 444d02-444d0d __setusermatherr 236->246 247 444d0e-444d68 call 444e22 _initterm __getmainargs _initterm 236->247 238 444c80-444c85 237->238 239 444c9f-444ca3 237->239 238->234 241 444c8c-444c93 238->241 239->234 242 444ca5-444ca7 239->242 241->234 244 444c95-444c9d 241->244 245 444cad-444cb0 242->245 244->245 245->236 246->247 250 444da4-444da7 247->250 251 444d6a-444d72 247->251 252 444d81-444d85 250->252 253 444da9-444dad 250->253 254 444d74-444d76 251->254 255 444d78-444d7b 251->255 257 444d87-444d89 252->257 258 444d8b-444d9c GetStartupInfoA 252->258 253->250 254->251 254->255 255->252 256 444d7d-444d7e 255->256 256->252 257->256 257->258 259 444d9e-444da2 258->259 260 444daf-444db1 258->260 261 444db2-444dc6 GetModuleHandleA call 40cf44 259->261 260->261 264 444dcf-444e0f _cexit call 444e71 261->264 265 444dc8-444dc9 exit 261->265 265->264
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                      • String ID: k{v
                                      • API String ID: 3662548030-443568515
                                      • Opcode ID: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                                      • Instruction ID: dd0826a03bb44e9375613df7343647c7563f031d366e42a412bc6d4d3743f318
                                      • Opcode Fuzzy Hash: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                                      • Instruction Fuzzy Hash: AF41A0B0C02344DFEB619FA4D8847AD7BB8FB49325F28413BE451A7291D7388982CB5D
                                      Function 0040FB00 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 101registryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 269 40fb00-40fb35 call 44b090 RegOpenKeyExA 272 40fc37-40fc3d 269->272 273 40fb3b-40fb4f RegOpenKeyExA 269->273 274 40fb55-40fb7e RegQueryValueExA 273->274 275 40fc2d-40fc31 RegCloseKey 273->275 276 40fc23-40fc27 RegCloseKey 274->276 277 40fb84-40fb93 call 404734 274->277 275->272 276->275 277->276 280 40fb99-40fbd1 call 4047a5 277->280 280->276 283 40fbd3-40fbdb 280->283 284 40fc19-40fc1d LocalFree 283->284 285 40fbdd-40fc14 memcpy * 2 call 40f802 283->285 284->276 285->284
                                      APIs
                                      • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB31
                                      • RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB4B
                                      • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E7F,?), ref: 0040FB76
                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E7F,?), ref: 0040FC27
                                        • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                        • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                      • memcpy.MSVCRT ref: 0040FBE4
                                      • memcpy.MSVCRT ref: 0040FBF9
                                        • Part of subcall function 0040F802: RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,00456E58,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
                                        • Part of subcall function 0040F802: memset.MSVCRT ref: 0040F84A
                                        • Part of subcall function 0040F802: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                        • Part of subcall function 0040F802: RegCloseKey.ADVAPI32(?), ref: 0040F95F
                                      • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FC1D
                                      • RegCloseKey.KERNELBASE(?,?,?,?,?,00403E7F,?), ref: 0040FC31
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                                      • String ID: Dynamic Salt$Software\Microsoft\IdentityCRL$Value$XnE
                                      • API String ID: 2768085393-2409096184
                                      • Opcode ID: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
                                      • Instruction ID: dc42a4d3869b5799c80e2b369f36587618a74ee4c7744a3ab9dbe2425e101413
                                      • Opcode Fuzzy Hash: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
                                      • Instruction Fuzzy Hash: BA316F72508348AFE750DF51DC81E5BBBECFB88358F04093EBA94E2151D735D9188B6A
                                      Function 004442EA Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • memset.MSVCRT ref: 0044430B
                                        • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075A0
                                        • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075AB
                                        • Part of subcall function 0040759E: _mbscat.MSVCRT ref: 004075C2
                                        • Part of subcall function 00410DBB: memset.MSVCRT ref: 00410E10
                                        • Part of subcall function 00410DBB: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                                        • Part of subcall function 00410DBB: _mbscpy.MSVCRT ref: 00410E87
                                      • memset.MSVCRT ref: 00444379
                                      • memset.MSVCRT ref: 00444394
                                        • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                      • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004443CD
                                      • strlen.MSVCRT ref: 004443DB
                                      • _strcmpi.MSVCRT ref: 00444401
                                      Strings
                                      • Software\Microsoft\Windows Live Mail, xrefs: 004443AA
                                      • Store Root, xrefs: 004443A5
                                      • \Microsoft\Windows Mail, xrefs: 00444329
                                      • \Microsoft\Windows Live Mail, xrefs: 00444350
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memset$strlen$Close$EnvironmentExpandStrings_mbscat_mbscpy_strcmpi
                                      • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                      • API String ID: 832325562-2578778931
                                      • Opcode ID: 88eecb5596c8840dacdab9e6d9cddf85e53b3344e0b54babe6c18053d28390f2
                                      • Instruction ID: c969096c6c8075cae9da81fbffcb27ba025b1fc1210c9b39c3855a2ab2b3ab2e
                                      • Opcode Fuzzy Hash: 88eecb5596c8840dacdab9e6d9cddf85e53b3344e0b54babe6c18053d28390f2
                                      • Instruction Fuzzy Hash: A73197725083446BE320EA99DC47FCBB7DC9B85315F14441FF64897182D678E548877A
                                      Function 0040F460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 180registryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 308 40f460-40f5bd memset * 2 call 4078ba * 2 RegOpenKeyExA 313 40f5c3-40f5ea RegQueryValueExA 308->313 314 40f6d9-40f6df 308->314 315 40f6d0-40f6d3 RegCloseKey 313->315 316 40f5f0-40f5f4 313->316 315->314 316->315 317 40f5fa-40f604 316->317 318 40f606-40f618 call 40466b call 404734 317->318 319 40f677 317->319 329 40f66a-40f675 call 404785 318->329 330 40f61a-40f63e call 4047a5 318->330 321 40f67a-40f67d 319->321 321->315 322 40f67f-40f6bf call 4012ee RegQueryValueExA 321->322 322->315 328 40f6c1-40f6cf 322->328 328->315 329->321 330->329 335 40f640-40f643 330->335 336 40f661-40f664 LocalFree 335->336 337 40f645-40f65a memcpy 335->337 336->329 337->336
                                      APIs
                                      • memset.MSVCRT ref: 0040F567
                                      • memset.MSVCRT ref: 0040F57F
                                        • Part of subcall function 004078BA: _mbsnbcat.MSVCRT ref: 004078DA
                                      • RegOpenKeyExA.KERNELBASE(80000001,00000082,00000000,00020019,?,?,?,?,?,00000000), ref: 0040F5B5
                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040F5E2
                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F6B7
                                        • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                        • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                        • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                      • memcpy.MSVCRT ref: 0040F652
                                      • LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040F664
                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000), ref: 0040F6D3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: QueryValuememset$AddressCloseFreeLibraryLoadLocalOpenProc_mbscpy_mbsnbcatmemcpy
                                      • String ID:
                                      • API String ID: 2012582556-3916222277
                                      • Opcode ID: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                                      • Instruction ID: 8a535e2a1d92942c08e22e27bc62a3a9d9c5418ddd7b2e408e782496f1cf9495
                                      • Opcode Fuzzy Hash: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                                      • Instruction Fuzzy Hash: 9E81FC218047CEDEDB31DBBC8C485DDBF745B17224F0843A9E5B47A2E2D3245646C7AA
                                      Function 004037CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 338 4037ca-40381c memset * 2 call 444551 341 4038e2-4038e5 338->341 342 403822-403882 call 4021b6 call 406f06 * 2 strchr 338->342 349 403884-403895 _mbscpy 342->349 350 403897-4038a2 strlen 342->350 351 4038bf-4038dd _mbscpy call 4023e5 349->351 350->351 352 4038a4-4038bc sprintf 350->352 351->341 352->351
                                      APIs
                                      • memset.MSVCRT ref: 004037EB
                                      • memset.MSVCRT ref: 004037FF
                                        • Part of subcall function 00444551: memset.MSVCRT ref: 00444573
                                        • Part of subcall function 00444551: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                                        • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                        • Part of subcall function 00406F06: memcpy.MSVCRT ref: 00406F20
                                      • strchr.MSVCRT ref: 0040386E
                                      • _mbscpy.MSVCRT ref: 0040388B
                                      • strlen.MSVCRT ref: 00403897
                                      • sprintf.MSVCRT ref: 004038B7
                                      • _mbscpy.MSVCRT ref: 004038CD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memset$_mbscpystrlen$Closememcpysprintfstrchr
                                      • String ID: %s@yahoo.com
                                      • API String ID: 317221925-3288273942
                                      • Opcode ID: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                                      • Instruction ID: 76d3f49adc6711096ede71316d8c54080aa8a6e72e6628a7d10ff16d2d587f45
                                      • Opcode Fuzzy Hash: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                                      • Instruction Fuzzy Hash: 4B2154B3D001285EEB11EA54DD42FDA77ACDF85308F0404EBB649F7041E678AF888A59
                                      Function 004034E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 354 4034e4-403544 memset * 2 call 410b1e 357 403580-403582 354->357 358 403546-40357f _mbscpy call 406d55 _mbscat call 4033f0 354->358 358->357
                                      APIs
                                      • memset.MSVCRT ref: 00403504
                                      • memset.MSVCRT ref: 0040351A
                                        • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                      • _mbscpy.MSVCRT ref: 00403555
                                        • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                        • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                      • _mbscat.MSVCRT ref: 0040356D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _mbscatmemset$Close_mbscpystrlen
                                      • String ID: InstallPath$Software\Group Mail$fb.dat
                                      • API String ID: 3071782539-966475738
                                      • Opcode ID: ba1e5b879fdebbe75c382cc963f8f285cb869b8741e9311d789e5899e64a9370
                                      • Instruction ID: a2fd564f6d67a76fe1541fb13c78ccc0c8ee6374decffd3371ae058987aad369
                                      • Opcode Fuzzy Hash: ba1e5b879fdebbe75c382cc963f8f285cb869b8741e9311d789e5899e64a9370
                                      • Instruction Fuzzy Hash: C201FC7694416875E750F6659C47FCAB66CCB64705F0400A7BA48F30C2DAF8BBC486A9
                                      Function 0040CCD7 Relevance: 9.1, APIs: 6, Instructions: 71windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 363 40ccd7-40cd06 ??2@YAPAXI@Z 364 40cd08-40cd0d 363->364 365 40cd0f 363->365 366 40cd11-40cd24 ??2@YAPAXI@Z 364->366 365->366 367 40cd26-40cd2d call 404025 366->367 368 40cd2f 366->368 370 40cd31-40cd57 367->370 368->370 371 40cd66-40cdd9 call 407088 call 4019b5 memset LoadIconA call 4019b5 _mbscpy 370->371 372 40cd59-40cd60 DeleteObject 370->372 372->371
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ??2@$DeleteIconLoadObject_mbscpymemset
                                      • String ID:
                                      • API String ID: 2054149589-0
                                      • Opcode ID: ac2346bdc6bf8c69db932d73876581c2cd712649df4ebdee0f030b2719307f74
                                      • Instruction ID: e49e2262ea613e2b532621416bf92f05b9d60d1a181aada648b692035ce2a44d
                                      • Opcode Fuzzy Hash: ac2346bdc6bf8c69db932d73876581c2cd712649df4ebdee0f030b2719307f74
                                      • Instruction Fuzzy Hash: C921A1B0900360DBDB10DF749DC97897BA8EB40B04F1405BBED08FF286D7B895408BA8
                                      Function 004085D2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79registryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 004082CD: memset.MSVCRT ref: 0040832F
                                        • Part of subcall function 004082CD: memset.MSVCRT ref: 00408343
                                        • Part of subcall function 004082CD: memset.MSVCRT ref: 0040835F
                                        • Part of subcall function 004082CD: memset.MSVCRT ref: 00408376
                                        • Part of subcall function 004082CD: GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                        • Part of subcall function 004082CD: GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                        • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                        • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                        • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083E9
                                        • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083F8
                                        • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                      • memset.MSVCRT ref: 00408620
                                        • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                      • memset.MSVCRT ref: 00408671
                                      • RegCloseKey.ADVAPI32(?,?,?), ref: 004086AF
                                      • RegCloseKey.ADVAPI32(?), ref: 004086D6
                                      Strings
                                      • Software\Google\Google Talk\Accounts, xrefs: 004085F1
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUser
                                      • String ID: Software\Google\Google Talk\Accounts
                                      • API String ID: 1366857005-1079885057
                                      • Opcode ID: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                                      • Instruction ID: c9a55fd20ea1a9e1148d2ba128c2c272dfe10edd9ec9a97c612e1cc238572be2
                                      • Opcode Fuzzy Hash: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                                      • Instruction Fuzzy Hash: 6E2181B140830AAEE610EF51DD42EAFB7DCEF94344F00083EB984D1192E675D95D9BAB
                                      Function 0040BA28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 403 40ba28-40ba3a 404 40ba87-40ba9b call 406c62 403->404 405 40ba3c-40ba52 call 407e20 _mbsicmp 403->405 427 40ba9d call 4107f1 404->427 428 40ba9d call 404734 404->428 429 40ba9d call 404785 404->429 430 40ba9d call 403c16 404->430 431 40ba9d call 410a9c 404->431 410 40ba54-40ba6d call 407e20 405->410 411 40ba7b-40ba85 405->411 417 40ba74 410->417 418 40ba6f-40ba72 410->418 411->404 411->405 412 40baa0-40bab3 call 407e30 419 40bab5-40bac1 412->419 420 40bafa-40bb09 SetCursor 412->420 421 40ba75-40ba76 call 40b5e5 417->421 418->421 422 40bac3-40bace 419->422 423 40bad8-40baf7 qsort 419->423 421->411 422->423 423->420 427->412 428->412 429->412 430->412 431->412
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Cursor_mbsicmpqsort
                                      • String ID: /nosort$/sort
                                      • API String ID: 882979914-1578091866
                                      • Opcode ID: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                                      • Instruction ID: 8a1fc52e493d51bfa0df36ad286e8752cb28bf69c391dd95ac0f49afa8242728
                                      • Opcode Fuzzy Hash: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                                      • Instruction Fuzzy Hash: 2D2192B1704601EFD719AF75C880A69B7A9FF48318B10027EF419A7291CB39BC12CBD9
                                      Function 00410DBB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74registryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 445 410dbb-410dd2 call 410d0e 448 410dd4-410ddd call 4070ae 445->448 449 410dfd-410e1b memset 445->449 456 410ddf-410de2 448->456 457 410dee-410df1 448->457 450 410e27-410e35 449->450 451 410e1d-410e20 449->451 454 410e45-410e4f call 410a9c 450->454 451->450 453 410e22-410e25 451->453 453->450 458 410e37-410e40 453->458 464 410e51-410e79 call 410d3d call 410add RegCloseKey 454->464 465 410e7f-410e92 _mbscpy 454->465 456->449 460 410de4-410de7 456->460 463 410df8 457->463 458->454 460->449 462 410de9-410dec 460->462 462->449 462->457 466 410e95-410e97 463->466 464->465 465->466
                                      APIs
                                        • Part of subcall function 00410D0E: LoadLibraryA.KERNEL32(shell32.dll,00410DCA,00000104), ref: 00410D1C
                                        • Part of subcall function 00410D0E: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31
                                      • memset.MSVCRT ref: 00410E10
                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                                      • _mbscpy.MSVCRT ref: 00410E87
                                        • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                      Strings
                                      • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00410E2B, 00410E3B
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: AddressCloseLibraryLoadProcVersion_mbscpymemset
                                      • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                      • API String ID: 889583718-2036018995
                                      • Opcode ID: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                                      • Instruction ID: 345612a4203e2947e26158410096d7c3d27216bde768142914c78e2e12d87323
                                      • Opcode Fuzzy Hash: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                                      • Instruction Fuzzy Hash: 89110D71C40318EBEB20B6D59C86EEF77ACDB14304F1404A7F555A2112E7BC9ED8C69A
                                      Function 00410C68 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                      Download Yara Rule
                                      APIs
                                      • FindResourceA.KERNEL32(?,?,?), ref: 00410C75
                                      • SizeofResource.KERNEL32(?,00000000), ref: 00410C86
                                      • LoadResource.KERNEL32(?,00000000), ref: 00410C96
                                      • LockResource.KERNEL32(00000000), ref: 00410CA1
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Resource$FindLoadLockSizeof
                                      • String ID:
                                      • API String ID: 3473537107-0
                                      • Opcode ID: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                      • Instruction ID: 06b8370cebe37c7de172ca18b7cbf64f7437cd91f528590ddf6fb1777473d23a
                                      • Opcode Fuzzy Hash: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                      • Instruction Fuzzy Hash: 090196367012166F8B185F69DD9489F7EAEFB853913084136FC05C6361EB71C9818ED8
                                      Function 004109CF Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 004109F7
                                        • Part of subcall function 004075CD: sprintf.MSVCRT ref: 00407605
                                        • Part of subcall function 004075CD: memcpy.MSVCRT ref: 00407618
                                      • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410A1B
                                      • memset.MSVCRT ref: 00410A32
                                      • GetPrivateProfileStringA.KERNEL32(?,?,0044C52F,?,00002000,?), ref: 00410A50
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                      • String ID:
                                      • API String ID: 3143880245-0
                                      • Opcode ID: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                                      • Instruction ID: 950c872411b2f2d44c5e3370b52dcf3132a88c3cdc41bb294f16927293e6b240
                                      • Opcode Fuzzy Hash: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                                      • Instruction Fuzzy Hash: A401A172804319BBEF119F50DC86EDB7B7CEF05344F0000A6F604A2052E635AA64CBA9
                                      Function 0044B33B Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ??3@
                                      • String ID:
                                      • API String ID: 613200358-0
                                      • Opcode ID: 0ad1635ea08d581da3d46e9cfe4a801b3f478eb4f35f0f6f88290fc2b5bda708
                                      • Instruction ID: 5841ab7dcc50b440abd9236b7832042a9d7d1d7b8957bb774bcacf87f05c1f29
                                      • Opcode Fuzzy Hash: 0ad1635ea08d581da3d46e9cfe4a801b3f478eb4f35f0f6f88290fc2b5bda708
                                      • Instruction Fuzzy Hash: AAE046A134974456BA10AF7BAC52F13239CEA803523168C6FB800F36D2EF2CE890846C
                                      Function 00408D34 Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ??2@
                                      • String ID:
                                      • API String ID: 1033339047-0
                                      • Opcode ID: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                                      • Instruction ID: b7305a6f8e60e4354fc193aeb8e5872e67636dbc7b7f4d43fc505f02bd19535d
                                      • Opcode Fuzzy Hash: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                                      • Instruction Fuzzy Hash: EEF031F05433615EEB559F34ED0672536A4E784302F024B3EE2059A2E6EB78D4908B09
                                      Function 00406F30 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ??3@mallocmemcpy
                                      • String ID:
                                      • API String ID: 3831604043-0
                                      • Opcode ID: a96fb65c017a86587ba071467795d458f8ca9669e817bb347d51b960c43a4168
                                      • Instruction ID: 20c18abb4fba39fec419649699297209b7413d51c31022bf8d4f5bc21a778af6
                                      • Opcode Fuzzy Hash: a96fb65c017a86587ba071467795d458f8ca9669e817bb347d51b960c43a4168
                                      • Instruction Fuzzy Hash: 39F0E9726092235FD7089E7AB881D0BB3ADEF94324711482FF445E7281D738EC60C6A8
                                      Function 00407088 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                        • Part of subcall function 00406FC7: _mbscpy.MSVCRT ref: 00407011
                                      • CreateFontIndirectA.GDI32(?), ref: 004070A6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: CreateFontIndirect_mbscpymemset
                                      • String ID: Arial
                                      • API String ID: 3853255127-493054409
                                      • Opcode ID: a9edf0add2530cae1e73dc887b0500a6e6731c557fb9a9d8b72d1c15ab1f178d
                                      • Instruction ID: 3e85f73e1de40fb669f60d67ce34a2ecc2b5129f84855d11383e820b071861b9
                                      • Opcode Fuzzy Hash: a9edf0add2530cae1e73dc887b0500a6e6731c557fb9a9d8b72d1c15ab1f178d
                                      • Instruction Fuzzy Hash: FDD0C9A0E4020D67D710F7A0FD47F49776C5B00604F510831B905F10E1EAA4A1184A99
                                      Function 0044B3CF Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID:
                                      • API String ID: 544645111-0
                                      • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                      • Instruction ID: 9d5022db8ba3b04779ac2e9664088e7462d9cf1087a2f4409b49694314ac1291
                                      • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                      • Instruction Fuzzy Hash: FB21F7114496816FFB218BB84C017B67BD8DB13364F19469BE184CB243D76CD85693FA
                                      Function 0040CE70 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00401E69: memset.MSVCRT ref: 00401E8B
                                        • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EA4
                                        • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EB2
                                        • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EF8
                                        • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401F06
                                      • _strcmpi.MSVCRT ref: 0040CEC3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: strlen$_strcmpimemset
                                      • String ID: /stext
                                      • API String ID: 520177685-3817206916
                                      • Opcode ID: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                                      • Instruction ID: 693fdb5656bfadad22d3d4febeb48e05c11e25f360cf1d4a61822c7fe8fbaaaa
                                      • Opcode Fuzzy Hash: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                                      • Instruction Fuzzy Hash: 5B210C71614112DFC3589B39C8C1966B3A9BF45314B15427FA91AAB392C738EC119BC9
                                      Function 0044B40E Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID:
                                      • API String ID: 544645111-0
                                      • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                      • Instruction ID: 5df47aada64e755ddaac71019e2cddcac14d14db73bdb0f929895f2225ac57a9
                                      • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                      • Instruction Fuzzy Hash: DB012D01545A4179FF21AAB50C02ABB5F8CDA23364B145B4BF750CB293DB5CC90693FE
                                      Function 0044B42B Relevance: 3.1, APIs: 2, Instructions: 54memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,0044B41C,0044B405), ref: 0044B43E
                                      • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,0044B41C,0044B405), ref: 0044B452
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID:
                                      • API String ID: 544645111-0
                                      • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                      • Instruction ID: 565c9894d902a96607ae12053a83652f4dbbb150929c791eaa1536a67b179355
                                      • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                      • Instruction Fuzzy Hash: 83F0C201589A407DFE2155B50C42ABB5B8CCA27320B244B07F654CB383D79DC91A93FA
                                      Function 00404734 Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00404785: FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                                      • LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Library$AddressFreeLoadProc
                                      • String ID:
                                      • API String ID: 145871493-0
                                      • Opcode ID: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                                      • Instruction ID: d196b3276b1a656cda378f5c53e28a4a33de773bbf59b12af1a3f4d2ec041ade
                                      • Opcode Fuzzy Hash: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                                      • Instruction Fuzzy Hash: 35F065F8500B039BD7606F34D84879BB3E9AF86310F00453EF961A3281EB38E541CB58
                                      Function 00410A6B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410A92
                                        • Part of subcall function 00410983: memset.MSVCRT ref: 004109A1
                                        • Part of subcall function 00410983: _itoa.MSVCRT ref: 004109B8
                                        • Part of subcall function 00410983: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 004109C7
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: PrivateProfile$StringWrite_itoamemset
                                      • String ID:
                                      • API String ID: 4165544737-0
                                      • Opcode ID: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                      • Instruction ID: e4187046b5889157fb54d5f6e3f9ccfafaefd38d22cef98a7399574687248963
                                      • Opcode Fuzzy Hash: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                      • Instruction Fuzzy Hash: 3DE0B63204020DBFDF125F90EC01AA97B66FF14355F14845AF95804131D37295B0AF94
                                      Function 00404785 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                      Download Yara Rule
                                      APIs
                                      • FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: FreeLibrary
                                      • String ID:
                                      • API String ID: 3664257935-0
                                      • Opcode ID: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                      • Instruction ID: 8a1fb59f4aee03ee333bbcbb21747f572c22b5e480e1b07aa067c0b07a2bbf9c
                                      • Opcode Fuzzy Hash: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                      • Instruction Fuzzy Hash: D2D012750013118FD7605F14FC4CBA173E8AF41312F1504B8E990A7196C3389540CA58
                                      Function 00406D1A Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileA.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040AEA3,00000000), ref: 00406D2C
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                      • Instruction ID: b62e2d47ef034db7175ca84798afaf0fa2498f7b6fd9cc80310e9c1c0838826b
                                      • Opcode Fuzzy Hash: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                      • Instruction Fuzzy Hash: 59C012F02503007EFF204F10AC4BF37355DE780700F204420BE00E40E2C2A14C008928
                                      Function 004107F1 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                      Download Yara Rule
                                      APIs
                                      • FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: FreeLibrary
                                      • String ID:
                                      • API String ID: 3664257935-0
                                      • Opcode ID: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                      • Instruction ID: 34cea44665fc180de0fd44d6926484b1362fa2b4776eba2aa4e53c033fc5eded
                                      • Opcode Fuzzy Hash: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                      • Instruction Fuzzy Hash: 8CC04C355107018BE7219B12C949763B7E4BB00316F54C81894A695454D77CE494CE18
                                      Function 00410CF3 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                      Download Yara Rule
                                      APIs
                                      • EnumResourceNamesA.KERNEL32(?,?,Function_00010C68,00000000), ref: 00410D02
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: EnumNamesResource
                                      • String ID:
                                      • API String ID: 3334572018-0
                                      • Opcode ID: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
                                      • Instruction ID: 5afcab74deb5f1f746bbc86617496166ce7982b7e139a3a4a0d32d3f52cd2e16
                                      • Opcode Fuzzy Hash: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
                                      • Instruction Fuzzy Hash: 05C09B3119534197C7519F108C4DF1B7695BB59706F144D297191940A4D7514054DE05
                                      Function 00407F90 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                      Download Yara Rule
                                      APIs
                                      • FindClose.KERNELBASE(?,00407EAA,?,?,00000000,ACD,0044424D,*.oeaccount,ACD,?,00000104), ref: 00407F9A
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: CloseFind
                                      • String ID:
                                      • API String ID: 1863332320-0
                                      • Opcode ID: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                      • Instruction ID: 6a16c08ea37d16c8a4aa15d9076e95747955e6fceefd1cb8b530e80fb020b3ed
                                      • Opcode Fuzzy Hash: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                      • Instruction Fuzzy Hash: 6DC092746165029FD22C5F38ECA942A77A1AF4A7303B80F6CE0F3D20F0E73898528A04
                                      Function 00410A9C Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Open
                                      • String ID:
                                      • API String ID: 71445658-0
                                      • Opcode ID: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                                      • Instruction ID: dc05f55a30c25c5fac933af4dde5d03becff9f0601af4caa575784a6c8c77920
                                      • Opcode Fuzzy Hash: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                                      • Instruction Fuzzy Hash: F4C09B35545301FFDE114F40FD45F09BB61AB84B05F004414B244240B182714414EB17
                                      Function 00406F81 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: AttributesFile
                                      • String ID:
                                      • API String ID: 3188754299-0
                                      • Opcode ID: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                      • Instruction ID: 9c49554ec541f0f53bfa1b31c7f3910b3cb34ca890cc3578c2bd02f8d22bfc28
                                      • Opcode Fuzzy Hash: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                      • Instruction Fuzzy Hash: 0CB012B92110004BCB0807349C8904D36505F456317240B3CB033C01F0D720CCA0BE00

                                      Non-executed Functions

                                      Function 004047CB Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 49libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(advapi32.dll,?,00404A70,?,00404986,?,?,00000000,?,00000000,?), ref: 004047DA
                                      • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004047EE
                                      • GetProcAddress.KERNEL32(0045A9A8,CryptReleaseContext), ref: 004047FA
                                      • GetProcAddress.KERNEL32(0045A9A8,CryptCreateHash), ref: 00404806
                                      • GetProcAddress.KERNEL32(0045A9A8,CryptGetHashParam), ref: 00404812
                                      • GetProcAddress.KERNEL32(0045A9A8,CryptHashData), ref: 0040481E
                                      • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyHash), ref: 0040482A
                                      • GetProcAddress.KERNEL32(0045A9A8,CryptDecrypt), ref: 00404836
                                      • GetProcAddress.KERNEL32(0045A9A8,CryptDeriveKey), ref: 00404842
                                      • GetProcAddress.KERNEL32(0045A9A8,CryptImportKey), ref: 0040484E
                                      • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyKey), ref: 0040485A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: AddressProc$LibraryLoad
                                      • String ID: CryptAcquireContextA$CryptCreateHash$CryptDecrypt$CryptDeriveKey$CryptDestroyHash$CryptDestroyKey$CryptGetHashParam$CryptHashData$CryptImportKey$CryptReleaseContext$advapi32.dll
                                      • API String ID: 2238633743-192783356
                                      • Opcode ID: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                      • Instruction ID: 70faa285c49fb169990c8fbe2f493e995bb0ef80ad344915aa685f594b7479e2
                                      • Opcode Fuzzy Hash: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                      • Instruction Fuzzy Hash: 1101C978E40744AEDB316F76CC09E06BEE1EF9C7047214D2EE1C153650D77AA011DE48
                                      Function 004033F0 Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: PrivateProfileString_mbscmpstrlen
                                      • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                                      • API String ID: 3963849919-1658304561
                                      • Opcode ID: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                      • Instruction ID: 768c2722c01e59d080de5de3380f4e9b1c28328498c4b4a1784570bb69a0741a
                                      • Opcode Fuzzy Hash: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                      • Instruction Fuzzy Hash: B2213371D0111C6ADB61EB51DC82FEE7B7C9B44705F0400EBBA08B2082DBBC6F898E59
                                      Function 004016FD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ??2@??3@memcpymemset
                                      • String ID: (yE$(yE$(yE
                                      • API String ID: 1865533344-362086290
                                      • Opcode ID: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
                                      • Instruction ID: 81f979815271b6a149e92529059c9b1765a635985cdb271dadbae3a2bc10ddb4
                                      • Opcode Fuzzy Hash: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
                                      • Instruction Fuzzy Hash: 2D117975900209EFDF119F94C804AAE3BB1FF08326F10806AFD556B2A1C7798915EF69
                                      Function 0040E501 Relevance: 54.6, APIs: 21, Strings: 10, Instructions: 314COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                                        • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                                        • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                                        • Part of subcall function 00408934: GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,0040F28D,?,00000000,?,?,?,?,?,?), ref: 00408952
                                        • Part of subcall function 00408934: CloseHandle.KERNEL32(?,?), ref: 0040899C
                                        • Part of subcall function 004089F2: _mbsicmp.MSVCRT ref: 00408A2C
                                      • memset.MSVCRT ref: 0040E5B8
                                      • memset.MSVCRT ref: 0040E5CD
                                      • _mbscpy.MSVCRT ref: 0040E634
                                      • _mbscpy.MSVCRT ref: 0040E64A
                                      • _mbscpy.MSVCRT ref: 0040E660
                                      • _mbscpy.MSVCRT ref: 0040E676
                                      • _mbscpy.MSVCRT ref: 0040E68C
                                      • _mbscpy.MSVCRT ref: 0040E69F
                                      • memset.MSVCRT ref: 0040E6B5
                                      • memset.MSVCRT ref: 0040E6CC
                                        • Part of subcall function 004066A3: memset.MSVCRT ref: 004066C4
                                        • Part of subcall function 004066A3: memcmp.MSVCRT ref: 004066EE
                                      • memset.MSVCRT ref: 0040E736
                                      • memset.MSVCRT ref: 0040E74F
                                      • sprintf.MSVCRT ref: 0040E76D
                                      • sprintf.MSVCRT ref: 0040E788
                                      • _strcmpi.MSVCRT ref: 0040E79E
                                      • _strcmpi.MSVCRT ref: 0040E7B7
                                      • _strcmpi.MSVCRT ref: 0040E7D3
                                      • memset.MSVCRT ref: 0040E858
                                      • sprintf.MSVCRT ref: 0040E873
                                      • _strcmpi.MSVCRT ref: 0040E889
                                      • _strcmpi.MSVCRT ref: 0040E8A5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memset$_mbscpy$_strcmpi$sprintf$strlen$CloseFileHandleSize_mbsicmpmemcmp
                                      • String ID: encryptedPassword$encryptedUsername$hostname$httpRealm$imap://%s$logins$mailbox://%s$passwordField$smtp://%s$usernameField
                                      • API String ID: 4171719235-3943159138
                                      • Opcode ID: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                                      • Instruction ID: e6e1aca5762f927b6bef3ecf047b01a22afe4fa283f9592a273acc07610826c1
                                      • Opcode Fuzzy Hash: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                                      • Instruction Fuzzy Hash: D6B152B2D04119AADF10EBA1DC41BDEB7B8EF04318F1444BBF548B7181EB39AA558F58
                                      Function 00410401 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,000003E9), ref: 0041042E
                                      • GetDlgItem.USER32(?,000003E8), ref: 0041043A
                                      • GetWindowLongA.USER32(00000000,000000F0), ref: 00410449
                                      • GetWindowLongA.USER32(?,000000F0), ref: 00410455
                                      • GetWindowLongA.USER32(00000000,000000EC), ref: 0041045E
                                      • GetWindowLongA.USER32(?,000000EC), ref: 0041046A
                                      • GetWindowRect.USER32(00000000,?), ref: 0041047C
                                      • GetWindowRect.USER32(?,?), ref: 00410487
                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041049B
                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004104A9
                                      • GetDC.USER32 ref: 004104E2
                                      • strlen.MSVCRT ref: 00410522
                                      • GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 00410533
                                      • ReleaseDC.USER32(?,?), ref: 00410580
                                      • sprintf.MSVCRT ref: 00410640
                                      • SetWindowTextA.USER32(?,?), ref: 00410654
                                      • SetWindowTextA.USER32(?,00000000), ref: 00410672
                                      • GetDlgItem.USER32(?,00000001), ref: 004106A8
                                      • GetWindowRect.USER32(00000000,?), ref: 004106B8
                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004106C6
                                      • GetClientRect.USER32(?,?), ref: 004106DD
                                      • GetWindowRect.USER32(?,?), ref: 004106E7
                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0041072D
                                      • GetClientRect.USER32(?,?), ref: 00410737
                                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0041076F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                                      • String ID: %s:$EDIT$STATIC
                                      • API String ID: 1703216249-3046471546
                                      • Opcode ID: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                                      • Instruction ID: 9785898008ba7037e97d6a181d6b2a38f1c87ee61eba0ca9b836c22844d1efbd
                                      • Opcode Fuzzy Hash: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                                      • Instruction Fuzzy Hash: 36B1DF75508341AFD750DFA8C985E6BBBE9FF88704F00492DF59982261DB75E804CF16
                                      Function 0040244A Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 132COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 004024F5
                                        • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                      • _mbscpy.MSVCRT ref: 00402533
                                      • _mbscpy.MSVCRT ref: 004025FD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _mbscpy$QueryValuememset
                                      • String ID: HTTPMail$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$Password2$SMTP$SMTP Display Name$SMTP Email Address$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                                      • API String ID: 168965057-606283353
                                      • Opcode ID: db52dd6227f64e1606ed286d3875c760bf9a06f6856d1fddeb2df187246517b6
                                      • Instruction ID: 7e64c7f7efb5926a908898138c7c80272d7c47f2ed846a803f17f87345e13469
                                      • Opcode Fuzzy Hash: db52dd6227f64e1606ed286d3875c760bf9a06f6856d1fddeb2df187246517b6
                                      • Instruction Fuzzy Hash: 0A5173B640221DABEF60DF91CC85ADD7BA8EF04318F54846BF908A7141D7BD9588CF98
                                      Function 004027BE Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 122COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00402869
                                        • Part of subcall function 004029A2: RegQueryValueExA.ADVAPI32(00000400,?,00000000,?,?,?), ref: 004029D3
                                      • _mbscpy.MSVCRT ref: 004028A3
                                        • Part of subcall function 004029A2: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00402A01
                                      • _mbscpy.MSVCRT ref: 0040297B
                                        • Part of subcall function 00410AB6: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402936,?,?,?,?,00402936,?,?), ref: 00410AD5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: QueryValue_mbscpy$ByteCharMultiWidememset
                                      • String ID: Display Name$Email$HTTP$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$Password$SMTP$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
                                      • API String ID: 1497257669-167382505
                                      • Opcode ID: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                                      • Instruction ID: 8a18399fb9ab4dbf3293ae90a7c33dbf32d2aa74b1f684e89f9c0cb2c5d46144
                                      • Opcode Fuzzy Hash: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                                      • Instruction Fuzzy Hash: F1514CB190124DAFEF60EF61CD85ACD7BB8FF04308F14812BF92466191D7B999488F98
                                      Function 00401060 Relevance: 39.2, APIs: 26, Instructions: 186COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,000003EC), ref: 004010BC
                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
                                      • GetDlgItem.USER32(?,000003EE), ref: 00401103
                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
                                      • GetDlgItem.USER32(?,000003EC), ref: 0040113E
                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
                                      • LoadCursorA.USER32(00000067), ref: 0040115F
                                      • SetCursor.USER32(00000000,?,?), ref: 00401166
                                      • GetDlgItem.USER32(?,000003EE), ref: 00401186
                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
                                      • GetDlgItem.USER32(?,000003EC), ref: 004011AD
                                      • SetBkMode.GDI32(?,00000001), ref: 004011B9
                                      • SetTextColor.GDI32(?,00C00000), ref: 004011C7
                                      • GetSysColorBrush.USER32(0000000F), ref: 004011CF
                                      • GetDlgItem.USER32(?,000003EE), ref: 004011EF
                                      • EndDialog.USER32(?,00000001), ref: 0040121A
                                      • DeleteObject.GDI32(?), ref: 00401226
                                      • GetDlgItem.USER32(?,000003ED), ref: 0040124A
                                      • ShowWindow.USER32(00000000), ref: 00401253
                                      • GetDlgItem.USER32(?,000003EE), ref: 0040125F
                                      • ShowWindow.USER32(00000000), ref: 00401262
                                      • SetDlgItemTextA.USER32(?,000003EE,0045A5E0), ref: 00401273
                                      • memset.MSVCRT ref: 0040128E
                                      • SetWindowTextA.USER32(?,00000000), ref: 004012AA
                                      • SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
                                      • SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                                      • String ID:
                                      • API String ID: 2998058495-0
                                      • Opcode ID: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                                      • Instruction ID: d99c78195822e95bfb56004c40aa855916ae81609c5fc0371f4bc40fa141afdc
                                      • Opcode Fuzzy Hash: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                                      • Instruction Fuzzy Hash: 2661AA35800248EBDF12AFA0DD85BAE7FA5BB05304F1881B6F904BA2F1C7B59D50DB58
                                      Function 0044257F Relevance: 33.4, APIs: 7, Strings: 15, Instructions: 375COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcmp$memcpy
                                      • String ID: %s mode not allowed: %s$,nE$@$BINARY$G+D$G+D$access$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs
                                      • API String ID: 231171946-2189169393
                                      • Opcode ID: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                      • Instruction ID: 1e7ca99fc42d5c672073ce6a9752caade8d3c68442cd6653d693641e17a54130
                                      • Opcode Fuzzy Hash: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                      • Instruction Fuzzy Hash: 30D13671904245ABFF248F68CA407EEBBB1AF15305F54406FF844A7341D3F89A86CB99
                                      Function 0041108D Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _mbscat$memsetsprintf$_mbscpy
                                      • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                      • API String ID: 633282248-1996832678
                                      • Opcode ID: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                                      • Instruction ID: de3fd18750e25ac655c57e1f527e3f4ad82db586d7f8767584d5c6c21a88759b
                                      • Opcode Fuzzy Hash: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                                      • Instruction Fuzzy Hash: 0C31A9B28056557AFB20EB559C42FDAB3ACDF14315F10419FF21462182EA7CAEC4865D
                                      Function 00406746 Relevance: 30.3, APIs: 16, Strings: 4, Instructions: 287COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • key4.db, xrefs: 00406756
                                      • SELECT a11,a102 FROM nssPrivate, xrefs: 00406933
                                      • , xrefs: 00406834
                                      • SELECT item1,item2 FROM metadata WHERE id = 'password', xrefs: 004067C4
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcpy$memcmp$memsetstrlen
                                      • String ID: $SELECT a11,a102 FROM nssPrivate$SELECT item1,item2 FROM metadata WHERE id = 'password'$key4.db
                                      • API String ID: 3614188050-3983245814
                                      • Opcode ID: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                      • Instruction ID: f64da88478914857a13bd548ab7de8656dcb141f17a11f318e4dfa38f1e39988
                                      • Opcode Fuzzy Hash: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                      • Instruction Fuzzy Hash: 76A1C7B1A00215ABDB14EFA5D841BDFB3A8FF44308F11453BF515E7282E778EA548B98
                                      Function 004111AA Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: sprintf$memset$_mbscpy
                                      • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                      • API String ID: 3402215030-3842416460
                                      • Opcode ID: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                                      • Instruction ID: f20d4583fe87a1bfbd8f178ed5e4bb51106c12545e3cf4f5d6ab8081ed6cb500
                                      • Opcode Fuzzy Hash: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                                      • Instruction Fuzzy Hash: 2E4152B2C0115D6AEB21EB54DC42FEA776CEF54308F0401E7B619E2152E278AB988B65
                                      Function 0040F0CE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 192stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00407B29: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040F0E7,?,?,?,?), ref: 00407B42
                                        • Part of subcall function 00407B29: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00407B6E
                                        • Part of subcall function 004080D4: ??3@YAXPAX@Z.MSVCRT ref: 004080DB
                                        • Part of subcall function 00407035: _mbscpy.MSVCRT ref: 0040703A
                                        • Part of subcall function 00407035: strrchr.MSVCRT ref: 00407042
                                        • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAE3
                                        • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAF7
                                        • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DB0B
                                        • Part of subcall function 0040DAC2: memcpy.MSVCRT ref: 0040DBD8
                                        • Part of subcall function 0040DAC2: memcpy.MSVCRT ref: 0040DC38
                                        • Part of subcall function 0040F036: _mbsicmp.MSVCRT ref: 0040F07F
                                      • strlen.MSVCRT ref: 0040F139
                                      • strlen.MSVCRT ref: 0040F147
                                      • memset.MSVCRT ref: 0040F187
                                      • strlen.MSVCRT ref: 0040F196
                                      • strlen.MSVCRT ref: 0040F1A4
                                      • memset.MSVCRT ref: 0040F1EA
                                      • strlen.MSVCRT ref: 0040F1F9
                                      • strlen.MSVCRT ref: 0040F207
                                      • _strcmpi.MSVCRT ref: 0040F2B2
                                      • _mbscpy.MSVCRT ref: 0040F2CD
                                      • _mbscpy.MSVCRT ref: 0040F30E
                                        • Part of subcall function 004070E3: _mbscpy.MSVCRT ref: 004070EB
                                        • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: strlen$memset$_mbscpy$memcpy$??3@CloseFileHandleSize_mbscat_mbsicmp_strcmpistrrchr
                                      • String ID: logins.json$none$signons.sqlite$signons.txt
                                      • API String ID: 1613542760-3138536805
                                      • Opcode ID: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                                      • Instruction ID: 4390ea688f3eb6ff8deec26b973fceccf030c6f24aada76a9830730871e88cce
                                      • Opcode Fuzzy Hash: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                                      • Instruction Fuzzy Hash: 5261F671504605AED724EB70CC81BDAB3E8AF14314F1405BFE599E30C1EB78BA89CB99
                                      Function 0040C3D0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 111stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
                                      • String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos
                                      • API String ID: 1012775001-1343505058
                                      • Opcode ID: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                                      • Instruction ID: 781a2e52d7f362fd39b5c74be6276a003a473a920a8a4abf0813dd90f66971c0
                                      • Opcode Fuzzy Hash: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                                      • Instruction Fuzzy Hash: F2417E72A01128AFEB21DB54CC85FDAB7BCEB4A300F5440EAF54DA7151DA34AA84CF65
                                      Function 004445ED Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00444612
                                        • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                                      • strlen.MSVCRT ref: 0044462E
                                      • memset.MSVCRT ref: 00444668
                                      • memset.MSVCRT ref: 0044467C
                                      • memset.MSVCRT ref: 00444690
                                      • memset.MSVCRT ref: 004446B6
                                        • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D296
                                        • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                                        • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                                        • Part of subcall function 0040D2A3: memcpy.MSVCRT ref: 0040D30F
                                        • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                                      • memcpy.MSVCRT ref: 004446ED
                                        • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D248
                                        • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D272
                                        • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                                      • memcpy.MSVCRT ref: 00444729
                                      • memcpy.MSVCRT ref: 0044473B
                                      • _mbscpy.MSVCRT ref: 00444812
                                      • memcpy.MSVCRT ref: 00444843
                                      • memcpy.MSVCRT ref: 00444855
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcpymemset$strlen$_mbscpy
                                      • String ID: salu
                                      • API String ID: 3691931180-4177317985
                                      • Opcode ID: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
                                      • Instruction ID: b87b4f34a2d3e3c1159852785770864cc269bb22f3616182f1b5584d27518a2a
                                      • Opcode Fuzzy Hash: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
                                      • Instruction Fuzzy Hash: 65713D7190015DAADB10EBA5CC81ADEB7B8FF44348F1444BAF648E7141DB38AB498F95
                                      Function 00410034 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(psapi.dll,?,0040FE19), ref: 00410047
                                      • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 00410060
                                      • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00410071
                                      • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00410082
                                      • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00410093
                                      • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004100A4
                                      • FreeLibrary.KERNEL32(00000000), ref: 004100C4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: AddressProc$Library$FreeLoad
                                      • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                      • API String ID: 2449869053-232097475
                                      • Opcode ID: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                      • Instruction ID: dd2e46225b8bbf3860c07ad768741e6abff990e6b314fd3472572f6830733abf
                                      • Opcode Fuzzy Hash: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                      • Instruction Fuzzy Hash: 6E0144399017426AE7226B29BC51B6B3EB89B4DB01B15007BE400E2352DBFCD8C0CF5E
                                      Function 0040955A Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • sprintf.MSVCRT ref: 0040957B
                                      • LoadMenuA.USER32(?,?), ref: 00409589
                                        • Part of subcall function 004093B2: GetMenuItemCount.USER32(?), ref: 004093C7
                                        • Part of subcall function 004093B2: memset.MSVCRT ref: 004093E8
                                        • Part of subcall function 004093B2: GetMenuItemInfoA.USER32 ref: 00409423
                                        • Part of subcall function 004093B2: strchr.MSVCRT ref: 0040943A
                                      • DestroyMenu.USER32(00000000), ref: 004095A7
                                      • sprintf.MSVCRT ref: 004095EB
                                      • CreateDialogParamA.USER32(?,00000000,00000000,00409555,00000000), ref: 00409600
                                      • memset.MSVCRT ref: 0040961C
                                      • GetWindowTextA.USER32(00000000,?,00001000), ref: 0040962D
                                      • EnumChildWindows.USER32(00000000,Function_000094A2,00000000), ref: 00409655
                                      • DestroyWindow.USER32(00000000), ref: 0040965C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                                      • String ID: caption$dialog_%d$menu_%d
                                      • API String ID: 3259144588-3822380221
                                      • Opcode ID: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                                      • Instruction ID: e9c2f3b5cfdd7c6c8f350bf48a14ef17ef5fca4d90bdc7cc97d58e5e48f5f72a
                                      • Opcode Fuzzy Hash: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                                      • Instruction Fuzzy Hash: 5C212672901288BFDB129F509C81EAF3768FB09305F044076FA01A1192E7B99D548B6E
                                      Function 004045DB Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00404656: FreeLibrary.KERNEL32(?,004045E3,?,0040F708,?,00000000), ref: 0040465D
                                      • LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                      • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                      • GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                      • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                      • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                      • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: AddressProc$Library$FreeLoad
                                      • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                      • API String ID: 2449869053-4258758744
                                      • Opcode ID: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                      • Instruction ID: 2cc24b9197253aa622afa6144fd2e07652f81762edb29d5cb7a2b3ace442d85c
                                      • Opcode Fuzzy Hash: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                      • Instruction Fuzzy Hash: 12014FB49017009ADB30AF75C809B46BBE0EFA9704F214C2FE295A3691E77ED445CF88
                                      Function 0040F802 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 118registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,00456E58,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
                                      • memset.MSVCRT ref: 0040F84A
                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0040F877
                                      • RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 0040F8A0
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000000FF,00000000,00000000), ref: 0040F919
                                      • LocalFree.KERNEL32(?), ref: 0040F92C
                                      • RegCloseKey.ADVAPI32(?), ref: 0040F937
                                      • RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                      • RegCloseKey.ADVAPI32(?), ref: 0040F95F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
                                      • String ID: Creds$ps:password
                                      • API String ID: 551151806-1872227768
                                      • Opcode ID: 402bd8f731a67ceae123d72f61a5f8da3e135295bef40cbb490a0d19221e27d4
                                      • Instruction ID: 67353d5813bb88842fab764933eebe3fab3d63e3b23d31051d6557c10b379f88
                                      • Opcode Fuzzy Hash: 402bd8f731a67ceae123d72f61a5f8da3e135295bef40cbb490a0d19221e27d4
                                      • Instruction Fuzzy Hash: 71412BB6901209AFDB61DF95DC84EEFBBBCEB48715F0000B6F905E2150DA349A54CF64
                                      Function 00404235 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • wcsstr.MSVCRT ref: 0040426A
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042B1
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042C5
                                      • _mbscpy.MSVCRT ref: 004042D5
                                      • _mbscpy.MSVCRT ref: 004042E8
                                      • strchr.MSVCRT ref: 004042F6
                                      • strlen.MSVCRT ref: 0040430A
                                      • sprintf.MSVCRT ref: 0040432B
                                      • strchr.MSVCRT ref: 0040433C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide_mbscpystrchr$sprintfstrlenwcsstr
                                      • String ID: %s@gmail.com$www.google.com
                                      • API String ID: 3866421160-4070641962
                                      • Opcode ID: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                                      • Instruction ID: 1d125d0bf78842d5973e64574db62130ec83037e0b154f7c504db0db8660d96c
                                      • Opcode Fuzzy Hash: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                                      • Instruction Fuzzy Hash: DA3186B290025DAFEB11DBA1DC81FDAB3BCEB45714F1405A7B718E3180DA38EF448A58
                                      Function 00409731 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69COMMON
                                      Download Yara Rule
                                      APIs
                                      • _mbscpy.MSVCRT ref: 00409749
                                      • _mbscpy.MSVCRT ref: 00409759
                                        • Part of subcall function 0040930C: memset.MSVCRT ref: 00409331
                                        • Part of subcall function 0040930C: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,?,00001000,0045A448), ref: 00409355
                                        • Part of subcall function 0040930C: WritePrivateProfileStringA.KERNEL32(0045A550,?,?,0045A448), ref: 0040936C
                                      • EnumResourceNamesA.KERNEL32(?,00000004,Function_0000955A,00000000), ref: 0040978F
                                      • EnumResourceNamesA.KERNEL32(?,00000005,Function_0000955A,00000000), ref: 00409799
                                      • _mbscpy.MSVCRT ref: 004097A1
                                      • memset.MSVCRT ref: 004097BD
                                      • LoadStringA.USER32(?,00000000,?,00001000), ref: 004097D1
                                        • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: String_mbscpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                                      • String ID: TranslatorName$TranslatorURL$general$strings
                                      • API String ID: 1035899707-3647959541
                                      • Opcode ID: 07fb82029a378e95c81cd618e89f57cfeb9c17a135c2b190ac6c60c85071189e
                                      • Instruction ID: 9d87356d66cebc64c7ffc1a8588b7925a858c7ffbf95e02bf5fcf8d8eff5f455
                                      • Opcode Fuzzy Hash: 07fb82029a378e95c81cd618e89f57cfeb9c17a135c2b190ac6c60c85071189e
                                      • Instruction Fuzzy Hash: F711C87290016475F7312B569C46F9B3F5CDBCAB55F10007BBB08A71C3D6B89D408AAD
                                      Function 0040E381 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 129COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _strcmpi_strnicmpmemsetsprintf$strlen
                                      • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                      • API String ID: 2360744853-2229823034
                                      • Opcode ID: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                                      • Instruction ID: 1258fd73e7f0479363a75d8e9bd03f7624e4807d7768342ee5bbbb65847b95d7
                                      • Opcode Fuzzy Hash: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                                      • Instruction Fuzzy Hash: 95418272604605AFE720DAA6CC81F96B3F8EB04314F14497BF95AE7281D738F9548B58
                                      Function 004100CC Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • strchr.MSVCRT ref: 004100E4
                                      • _mbscpy.MSVCRT ref: 004100F2
                                        • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                                        • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                                        • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                                      • _mbscpy.MSVCRT ref: 00410142
                                      • _mbscat.MSVCRT ref: 0041014D
                                      • memset.MSVCRT ref: 00410129
                                        • Part of subcall function 0040715B: GetWindowsDirectoryA.KERNEL32(0045AA00,00000104,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407170
                                        • Part of subcall function 0040715B: _mbscpy.MSVCRT ref: 00407180
                                      • memset.MSVCRT ref: 00410171
                                      • memcpy.MSVCRT ref: 0041018C
                                      • _mbscat.MSVCRT ref: 00410197
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
                                      • String ID: \systemroot
                                      • API String ID: 912701516-1821301763
                                      • Opcode ID: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                                      • Instruction ID: fda7f57b1b0f7358cef9bf297f3eeb801234e423e358f1bd4862c9dba8460d26
                                      • Opcode Fuzzy Hash: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                                      • Instruction Fuzzy Hash: 3721AA7590C28479F724E2618C83FEA679CDB55704F50405FB2C9A51C1EAECF9C5862A
                                      Function 004196A1 Relevance: 15.3, APIs: 6, Strings: 4, Instructions: 321COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcpy$strlen
                                      • String ID: -journal$-wal$immutable$nolock
                                      • API String ID: 2619041689-3408036318
                                      • Opcode ID: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                      • Instruction ID: 25f2131b2e7268d2841c48c11c9a86e68458d3caa4be6fdea11427aceae17f40
                                      • Opcode Fuzzy Hash: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                      • Instruction Fuzzy Hash: 9FC1D1B1A04606EFDB14DFA5C841BDEFBB0BF45314F14815EE528A7381D778AA90CB98
                                      Function 004086E0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 155COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                        • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                        • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                        • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                        • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                        • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                      • wcslen.MSVCRT ref: 0040874A
                                      • _wcsncoll.MSVCRT ref: 00408794
                                      • memset.MSVCRT ref: 0040882A
                                      • memcpy.MSVCRT ref: 00408849
                                      • wcschr.MSVCRT ref: 0040889F
                                      • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 004088CB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: AddressProc$FreeLibraryLoadLocal_wcsncollmemcpymemsetwcschrwcslen
                                      • String ID: J$Microsoft_WinInet
                                      • API String ID: 2203907242-260894208
                                      • Opcode ID: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
                                      • Instruction ID: 28b95496509cbb6d8c3a882eeb8be19e6e579a4afcb86d24d1cb248b0f397b1b
                                      • Opcode Fuzzy Hash: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
                                      • Instruction Fuzzy Hash: 9E5127B16083469FD710EF65C981A5BB7E8FF89304F40492EF998D3251EB38E944CB5A
                                      Function 004108E5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 64COMMON
                                      Download Yara Rule
                                      APIs
                                      • UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                      • UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410916
                                      • UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                      • memcpy.MSVCRT ref: 00410961
                                      Strings
                                      • 220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 004108FD
                                      • 220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 00410911
                                      • 417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 0041091E
                                      • 220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0041090A
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: FromStringUuid$memcpy
                                      • String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
                                      • API String ID: 2859077140-2022683286
                                      • Opcode ID: abdaa11197fe0e36068712593a832dde72f9d49fceae32f26c9e946e83c56665
                                      • Instruction ID: 9e6d0ab6f4d779539f8eb1da53a4fb6c135c1230b89e6f6df403d509513a9b08
                                      • Opcode Fuzzy Hash: abdaa11197fe0e36068712593a832dde72f9d49fceae32f26c9e946e83c56665
                                      • Instruction Fuzzy Hash: AD1151B391011DAAEF11EEA5DC80EEB37ACAB45350F040027F951E3251E6B4D9458BA5
                                      Function 0040966C Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                      • _mbscpy.MSVCRT ref: 00409686
                                      • _mbscpy.MSVCRT ref: 00409696
                                      • GetPrivateProfileIntA.KERNEL32(0045A550,rtl,00000000,0045A448), ref: 004096A7
                                        • Part of subcall function 00409278: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,0045A5A0,?,0045A448), ref: 00409293
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: PrivateProfile_mbscpy$AttributesFileString
                                      • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                      • API String ID: 888011440-2039793938
                                      • Opcode ID: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
                                      • Instruction ID: 35163425d10a67bbe8c9c36fe52ba00322d2719519e04c12929343b9a05e3383
                                      • Opcode Fuzzy Hash: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
                                      • Instruction Fuzzy Hash: 51F09621EC021636EA113A315C47F6E75148F91B16F1546BBBD057B2C3EA6C8D21819F
                                      Function 0042E8E8 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 272COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • database %s is already in use, xrefs: 0042E9CE
                                      • cannot ATTACH database within transaction, xrefs: 0042E966
                                      • database is already attached, xrefs: 0042EA97
                                      • attached databases must use the same text encoding as main database, xrefs: 0042EAE6
                                      • too many attached databases - max %d, xrefs: 0042E951
                                      • unable to open database: %s, xrefs: 0042EBD6
                                      • out of memory, xrefs: 0042EBEF
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcpymemset
                                      • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                      • API String ID: 1297977491-2001300268
                                      • Opcode ID: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                                      • Instruction ID: 706ac67067754653a22c48b2dfc2d31ecc94a00d4abf430cd75191e688397775
                                      • Opcode Fuzzy Hash: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                                      • Instruction Fuzzy Hash: E5A1BFB16083119FD720DF26E441B1BBBE0BF84314F54491FF8998B252D778E989CB5A
                                      Function 00403166 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00403138: GetPrivateProfileStringA.KERNEL32(00000000,?,0044C52F,?,?,?), ref: 0040315C
                                      • strchr.MSVCRT ref: 0040327B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: PrivateProfileStringstrchr
                                      • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                                      • API String ID: 1348940319-1729847305
                                      • Opcode ID: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                      • Instruction ID: 3c3f6fb7771655520bf9db4259302bbcc59fb1a7701990a2e81aa7d88bec6f27
                                      • Opcode Fuzzy Hash: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                      • Instruction Fuzzy Hash: 6C31A07094024EBEEF119F60CC45FDABF6CAF14319F10806AB59C7A1D1C7B99B948B54
                                      Function 00411004 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcpy
                                      • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                      • API String ID: 3510742995-3273207271
                                      • Opcode ID: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                      • Instruction ID: 550cffa583b2c54ba2aa88b33b5e976ebd7c1d4e5c49a3816a9e471e7c07ee5b
                                      • Opcode Fuzzy Hash: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                      • Instruction Fuzzy Hash: D501D4B2FC86E428FA3006450C46FE74E4547BFB11F350017F78525AA5A09D0DC7816F
                                      Function 004036E5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00410863: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
                                        • Part of subcall function 00410863: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
                                        • Part of subcall function 00410863: memcpy.MSVCRT ref: 004108C3
                                      • strchr.MSVCRT ref: 0040371F
                                      • _mbscpy.MSVCRT ref: 00403748
                                      • _mbscpy.MSVCRT ref: 00403758
                                      • strlen.MSVCRT ref: 00403778
                                      • sprintf.MSVCRT ref: 0040379C
                                      • _mbscpy.MSVCRT ref: 004037B2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _mbscpy$FromStringUuid$memcpysprintfstrchrstrlen
                                      • String ID: %s@gmail.com
                                      • API String ID: 500647785-4097000612
                                      • Opcode ID: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
                                      • Instruction ID: 26c7b24e36a56a715c82424c63065c573d607dcbd7bcbeb2789f412f71db7656
                                      • Opcode Fuzzy Hash: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
                                      • Instruction Fuzzy Hash: 2F21AEF290415C5AEB11DB95DCC5FDAB7FCEB54308F0405ABF108E3181EA78AB888B65
                                      Function 004094A2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 004094C8
                                      • GetDlgCtrlID.USER32(?), ref: 004094D3
                                      • GetWindowTextA.USER32(?,?,00001000), ref: 004094E6
                                      • memset.MSVCRT ref: 0040950C
                                      • GetClassNameA.USER32(?,?,000000FF), ref: 0040951F
                                      • _strcmpi.MSVCRT ref: 00409531
                                        • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memset$ClassCtrlNameTextWindow_itoa_strcmpi
                                      • String ID: sysdatetimepick32
                                      • API String ID: 3411445237-4169760276
                                      • Opcode ID: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                                      • Instruction ID: 275a188ed2e8c4d5dd974f468a7d06fe6df33147f8fd952053c2ef98a917a35b
                                      • Opcode Fuzzy Hash: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                                      • Instruction Fuzzy Hash: 2D11E773C051297EEB129754DC81EEF7BACEF5A315F0400B6FA08E2151E674DE848A64
                                      Function 0040B38F Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040B3DC
                                      • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040B411
                                      • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040B446
                                      • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040B462
                                      • GetSysColor.USER32(0000000F), ref: 0040B472
                                      • DeleteObject.GDI32(?), ref: 0040B4A6
                                      • DeleteObject.GDI32(00000000), ref: 0040B4A9
                                      • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040B4C7
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: MessageSend$DeleteImageLoadObject$Color
                                      • String ID:
                                      • API String ID: 3642520215-0
                                      • Opcode ID: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                      • Instruction ID: 78997c319ae04cc2c464f68e1b112159c67c6e7e05dd954700a2b997fe6bb290
                                      • Opcode Fuzzy Hash: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                      • Instruction Fuzzy Hash: 5A317275680308BFFA715B70DC87FD6B695EB48B00F104828F3857A1E1CAF279909B68
                                      Function 004072D6 Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemMetrics.USER32(00000011), ref: 004072E7
                                      • GetSystemMetrics.USER32(00000010), ref: 004072ED
                                      • GetDC.USER32(00000000), ref: 004072FB
                                      • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040730D
                                      • GetDeviceCaps.GDI32(004012E4,0000000A), ref: 00407316
                                      • ReleaseDC.USER32(00000000,004012E4), ref: 0040731F
                                      • GetWindowRect.USER32(004012E4,?), ref: 0040732C
                                      • MoveWindow.USER32(004012E4,?,?,?,?,00000001,?,?,?,?,?,?,004012E4,?), ref: 00407371
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
                                      • String ID:
                                      • API String ID: 1999381814-0
                                      • Opcode ID: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                      • Instruction ID: 22bb5f5faf33eb927601db2df5736372c6ae1ca5e65390263d5238b88a5d6584
                                      • Opcode Fuzzy Hash: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                      • Instruction Fuzzy Hash: C611A536E00219AFDF008FF9DC49BAE7FB9EB44311F040175EE05E3290DA70A8418A90
                                      Function 004261F7 Relevance: 10.9, APIs: 2, Strings: 5, Instructions: 443COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcpymemset
                                      • String ID: abort due to ROLLBACK$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
                                      • API String ID: 1297977491-3883738016
                                      • Opcode ID: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                      • Instruction ID: e5ed660087d787d4baabea17299805ba1702756b87ddf288a6169370bd8562d9
                                      • Opcode Fuzzy Hash: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                      • Instruction Fuzzy Hash: FA128D75A00629DFCB14DF68E480AADBBB1BF08314F65409BE945AB341D738F981CF99
                                      Function 00449630 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00449550: memset.MSVCRT ref: 0044955B
                                        • Part of subcall function 00449550: memset.MSVCRT ref: 0044956B
                                        • Part of subcall function 00449550: memcpy.MSVCRT ref: 004495C8
                                        • Part of subcall function 00449550: memcpy.MSVCRT ref: 00449616
                                      • memcpy.MSVCRT ref: 0044972E
                                      • memcpy.MSVCRT ref: 0044977B
                                      • memcpy.MSVCRT ref: 004497F6
                                        • Part of subcall function 00449260: memcpy.MSVCRT ref: 00449291
                                        • Part of subcall function 00449260: memcpy.MSVCRT ref: 004492DD
                                      • memcpy.MSVCRT ref: 00449846
                                      • memcpy.MSVCRT ref: 00449887
                                      • memcpy.MSVCRT ref: 004498B8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcpy$memset
                                      • String ID: gj
                                      • API String ID: 438689982-4203073231
                                      • Opcode ID: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                      • Instruction ID: 4698d9130898d2a28bd34890c38a7d1df91d0c58a43dc6add7b2b2ec2d892026
                                      • Opcode Fuzzy Hash: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                      • Instruction Fuzzy Hash: AB71C9B35083448BE310EF65D88069FB7E9BFD5344F050A2EE98997301E635DE09C796
                                      Function 0041230B Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 187COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: __aulldvrm$__aullrem
                                      • String ID: -$-x0$0123456789ABCDEF0123456789abcdef
                                      • API String ID: 643879872-978417875
                                      • Opcode ID: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                                      • Instruction ID: 9a4dcd4671c0eaaf570ced65c0a394ff57d12b60ca94b612a12fd923c93321e5
                                      • Opcode Fuzzy Hash: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                                      • Instruction Fuzzy Hash: 09618C315083819FD7218F2886447ABBBE1AFC6704F18495FF8C4D7352D3B8C9998B4A
                                      Function 00405810 Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,000003E9), ref: 00405827
                                      • SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 00405840
                                      • SendMessageA.USER32(?,00001036,00000000,00000026), ref: 0040584D
                                      • SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 00405859
                                      • memset.MSVCRT ref: 004058C3
                                      • SendMessageA.USER32(?,00001019,?,?), ref: 004058F4
                                      • SetFocus.USER32(?), ref: 00405976
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: MessageSend$FocusItemmemset
                                      • String ID:
                                      • API String ID: 4281309102-0
                                      • Opcode ID: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                                      • Instruction ID: c72ca3e99ea405196032a5824f130882485a5617ada8e3d881518c79e7018221
                                      • Opcode Fuzzy Hash: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                                      • Instruction Fuzzy Hash: 4241F8B5900209AFDB20DF94DC81EAEBBB9EF04358F1440AAE908B7291D7759E50DF94
                                      Function 0040A83A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                        • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040AB7D,?,<item>), ref: 00406D4D
                                      • _mbscat.MSVCRT ref: 0040A8FF
                                      • sprintf.MSVCRT ref: 0040A921
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: FileWrite_mbscatsprintfstrlen
                                      • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                      • API String ID: 1631269929-4153097237
                                      • Opcode ID: 1edff87013eeafc9988ac017b7f9a6f14c9cca9b6a50fb5f6e60c21e7938a174
                                      • Instruction ID: 568bce87a3ef0860ab630a318aded4c5cbf938598f8cce33e7c60ad495c5b4cb
                                      • Opcode Fuzzy Hash: 1edff87013eeafc9988ac017b7f9a6f14c9cca9b6a50fb5f6e60c21e7938a174
                                      • Instruction Fuzzy Hash: 88318F32900208AFDF15DF94C886EDE7BB5FF44314F11416AF911BB2A2D779A951CB84
                                      Function 004080ED Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040810E
                                        • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                        • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                        • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                        • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,004082A2,?,000000FD,00000000,00000000,?,00000000,004082A2,?,?,?,?,00000000), ref: 004081A9
                                      • LocalFree.KERNEL32(?,?,?,?,?,00000000,7686EB20,?), ref: 004081B9
                                        • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                        • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                        • Part of subcall function 00406F06: memcpy.MSVCRT ref: 00406F20
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWide_mbscpymemcpymemsetstrlen
                                      • String ID: POP3_credentials$POP3_host$POP3_name
                                      • API String ID: 524865279-2190619648
                                      • Opcode ID: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
                                      • Instruction ID: 3679de1ec208362151a8ef0ee52fb8317fff865e06d3e7d86d66f539d2f4ec3f
                                      • Opcode Fuzzy Hash: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
                                      • Instruction Fuzzy Hash: 5331507594021DAFDB11DB698C81EEEBB7CEF59304F0040BAF904A3141D6349A458F64
                                      Function 004093B2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ItemMenu$CountInfomemsetstrchr
                                      • String ID: 0$6
                                      • API String ID: 2300387033-3849865405
                                      • Opcode ID: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                                      • Instruction ID: cca6cfeb93ac41a34237a001b959014c3c2918908c2e54b2122eb51ea62ba4e3
                                      • Opcode Fuzzy Hash: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                                      • Instruction Fuzzy Hash: CC21AB7240C384AFD710CF61C881A9BB7E8FB89344F44093EF68896292E779DD45CB5A
                                      Function 004076B7 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcpystrlen$memsetsprintf
                                      • String ID: %s (%s)
                                      • API String ID: 3756086014-1363028141
                                      • Opcode ID: 50d505c1ae39098dfc6964a27cb52966afae9057970b4fe69166cd045eca6a26
                                      • Instruction ID: 78de9dcc32054867ea7a03e537ad908d86abacfb0a76549c44dff0155c32e653
                                      • Opcode Fuzzy Hash: 50d505c1ae39098dfc6964a27cb52966afae9057970b4fe69166cd045eca6a26
                                      • Instruction Fuzzy Hash: 741190B2800158AFDB21DF59CC45F99B7ACEF81308F0044A6EA58EB202D275FA15CB98
                                      Function 004073EF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _mbscat$memsetsprintf
                                      • String ID: %2.2X
                                      • API String ID: 125969286-791839006
                                      • Opcode ID: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                                      • Instruction ID: 3c8f4d0594b8058611f6c647f75597c7a5b0e751fa8f3ee8557cc8ef3b8c8270
                                      • Opcode Fuzzy Hash: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                                      • Instruction Fuzzy Hash: 93017072D0436425F721AA659C43BAA779CDB84705F10407FF844B62C1EABCFA444B9E
                                      Function 00444196 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00406D01: CreateFileA.KERNEL32(eBD,80000000,00000001,00000000,00000003,00000000,00000000,004441A1,?,ACD,00444265,?,?,*.oeaccount,ACD,?), ref: 00406D13
                                      • GetFileSize.KERNEL32(00000000,00000000,?,00000000,ACD,00444265,?,?,*.oeaccount,ACD,?,00000104), ref: 004441B0
                                      • ??2@YAPAXI@Z.MSVCRT ref: 004441C2
                                      • SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 004441D1
                                        • Part of subcall function 00407560: ReadFile.KERNEL32(00000000,?,004441E4,00000000,00000000,?,?,004441E4,?,00000000), ref: 00407577
                                        • Part of subcall function 00444059: wcslen.MSVCRT ref: 0044406C
                                        • Part of subcall function 00444059: ??2@YAPAXI@Z.MSVCRT ref: 00444075
                                        • Part of subcall function 00444059: WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                        • Part of subcall function 00444059: strlen.MSVCRT ref: 004440D1
                                        • Part of subcall function 00444059: memcpy.MSVCRT ref: 004440EB
                                        • Part of subcall function 00444059: ??3@YAXPAX@Z.MSVCRT ref: 0044417E
                                      • ??3@YAXPAX@Z.MSVCRT ref: 004441FC
                                      • CloseHandle.KERNEL32(?), ref: 00444206
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
                                      • String ID: ACD
                                      • API String ID: 1886237854-620537770
                                      • Opcode ID: 71777aa9ede06244d1de1e18fc34779f764221ff73557442bd1fb5a77d860cc9
                                      • Instruction ID: 993b87d0760cedec04f170bc8e4db420e9372e17061e8bf8474e84fbc22352e0
                                      • Opcode Fuzzy Hash: 71777aa9ede06244d1de1e18fc34779f764221ff73557442bd1fb5a77d860cc9
                                      • Instruction Fuzzy Hash: 9201D836401248BEF7106F75AC8ED9B7BACEF96368710812BF854971A1DA359C14CA64
                                      Function 004091C1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 004091EC
                                      • sprintf.MSVCRT ref: 00409201
                                        • Part of subcall function 0040929C: memset.MSVCRT ref: 004092C0
                                        • Part of subcall function 0040929C: GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                        • Part of subcall function 0040929C: _mbscpy.MSVCRT ref: 004092FC
                                      • SetWindowTextA.USER32(?,?), ref: 00409228
                                      • EnumChildWindows.USER32(?,Function_00009164,00000000), ref: 00409238
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindows_mbscpysprintf
                                      • String ID: caption$dialog_%d
                                      • API String ID: 2923679083-4161923789
                                      • Opcode ID: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                                      • Instruction ID: 6e7d5c99c97eb3a6ca4510ecd50999ddf5df62a663a14868e976e94052726d92
                                      • Opcode Fuzzy Hash: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                                      • Instruction Fuzzy Hash: ADF09C706442897EFB12DBA0DD06FC57B689708706F0000A6BB48E50D2D6F89D84872E
                                      Function 004101AF Relevance: 9.1, APIs: 6, Instructions: 143COMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,0040FE66,00000000,?), ref: 004101E6
                                      • memset.MSVCRT ref: 00410246
                                      • memset.MSVCRT ref: 00410258
                                        • Part of subcall function 004100CC: _mbscpy.MSVCRT ref: 004100F2
                                      • memset.MSVCRT ref: 0041033F
                                      • _mbscpy.MSVCRT ref: 00410364
                                      • CloseHandle.KERNEL32(?,0040FE66,?), ref: 004103AE
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memset$_mbscpy$CloseHandleOpenProcess
                                      • String ID:
                                      • API String ID: 3974772901-0
                                      • Opcode ID: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                                      • Instruction ID: 1856ef5d95eaf0ecdca85a0e0a2b389725ab0ec505974788b48c76207b2fc2b2
                                      • Opcode Fuzzy Hash: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                                      • Instruction Fuzzy Hash: FF510D7190021CABDB11DF95DD85ADEBBB8EB48305F1001AAEA19E3241D7759FC0CF69
                                      Function 00444059 Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • wcslen.MSVCRT ref: 0044406C
                                      • ??2@YAPAXI@Z.MSVCRT ref: 00444075
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                        • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433A0
                                        • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433BE
                                        • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433D9
                                        • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 00443402
                                        • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 00443426
                                      • strlen.MSVCRT ref: 004440D1
                                        • Part of subcall function 004434FC: ??3@YAXPAX@Z.MSVCRT ref: 00443507
                                        • Part of subcall function 004434FC: ??2@YAPAXI@Z.MSVCRT ref: 00443516
                                      • memcpy.MSVCRT ref: 004440EB
                                      • ??3@YAXPAX@Z.MSVCRT ref: 0044417E
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                                      • String ID:
                                      • API String ID: 577244452-0
                                      • Opcode ID: c86c0595bc932ff72a168c8a86fe748196c055b0d077d0074bf27620d53ce65a
                                      • Instruction ID: 3a965f982735d3f8f3afa93a9d35b3cc19a0dc4d5d85c2e22613d8d88a70f0fa
                                      • Opcode Fuzzy Hash: c86c0595bc932ff72a168c8a86fe748196c055b0d077d0074bf27620d53ce65a
                                      • Instruction Fuzzy Hash: 00317971800259AFEF21EF61C881ADDBBB4EF84314F0441AAF40863241DB396F85CF58
                                      Function 00404487 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 75COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                        • Part of subcall function 00406F06: memcpy.MSVCRT ref: 00406F20
                                      • _strcmpi.MSVCRT ref: 00404518
                                      • _strcmpi.MSVCRT ref: 00404536
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _strcmpi$memcpystrlen
                                      • String ID: imap$pop3$smtp
                                      • API String ID: 2025310588-821077329
                                      • Opcode ID: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                                      • Instruction ID: 0633fc9c76c4ce8560d4ef140e22cd8797028ee620c68f7eda392c6b656e28f7
                                      • Opcode Fuzzy Hash: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                                      • Instruction Fuzzy Hash: 1F21B6B25003199BD711DB25CD42BDBB3F99F90304F10006BE749F7181DB78BB458A88
                                      Function 0040C00D Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040C02D
                                        • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                                        • Part of subcall function 00408DB6: memcpy.MSVCRT ref: 00408EBE
                                        • Part of subcall function 00408DB6: _mbscpy.MSVCRT ref: 00408E31
                                        • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                        • Part of subcall function 004076B7: memset.MSVCRT ref: 004076D7
                                        • Part of subcall function 004076B7: sprintf.MSVCRT ref: 00407704
                                        • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407710
                                        • Part of subcall function 004076B7: memcpy.MSVCRT ref: 00407725
                                        • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407733
                                        • Part of subcall function 004076B7: memcpy.MSVCRT ref: 00407743
                                        • Part of subcall function 004074EA: _mbscpy.MSVCRT ref: 00407550
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
                                      • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                      • API String ID: 2726666094-3614832568
                                      • Opcode ID: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                                      • Instruction ID: 3f197bb1c4e5ac6b46efc8a66ab6c9b366feab3e355a1f8a4a72ad5c6a94b26c
                                      • Opcode Fuzzy Hash: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                                      • Instruction Fuzzy Hash: 21212CB1C002189FDB80EF95D9817DDBBB4AF68314F10417FE648B7281EF385A458B99
                                      Function 0040C143 Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTempPathA.KERNEL32(00000104,?), ref: 0040C15D
                                      • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040C16F
                                      • GetTempFileNameA.KERNEL32(?,0044D644,00000000,?), ref: 0040C191
                                      • OpenClipboard.USER32(?), ref: 0040C1B1
                                      • GetLastError.KERNEL32 ref: 0040C1CA
                                      • DeleteFileA.KERNEL32(00000000), ref: 0040C1E7
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
                                      • String ID:
                                      • API String ID: 2014771361-0
                                      • Opcode ID: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                      • Instruction ID: f62812a52b3c8d3971b783ccdfc9367edaf682a71d5855f6ec34303c2df0b61c
                                      • Opcode Fuzzy Hash: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                      • Instruction Fuzzy Hash: 69115276600218ABDB609B61DCCDFCB77BC9F15705F0401B6B685E60A2EBB499848F68
                                      Function 0040613B Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 51COMMON
                                      Download Yara Rule
                                      APIs
                                      • memcmp.MSVCRT ref: 00406151
                                        • Part of subcall function 0040607F: memcmp.MSVCRT ref: 0040609D
                                        • Part of subcall function 0040607F: memcpy.MSVCRT ref: 004060CC
                                        • Part of subcall function 0040607F: memcpy.MSVCRT ref: 004060E1
                                      • memcmp.MSVCRT ref: 0040617C
                                      • memcmp.MSVCRT ref: 004061A4
                                      • memcpy.MSVCRT ref: 004061C1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcmp$memcpy
                                      • String ID: global-salt$password-check
                                      • API String ID: 231171946-3927197501
                                      • Opcode ID: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                      • Instruction ID: a9589356fa14544f03300d4f181c1951213ca66e4b0bd31de1399f3a3b520bb8
                                      • Opcode Fuzzy Hash: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                      • Instruction Fuzzy Hash: BB01FC70A003446EEF212A128C02B4F37569F50769F014037FE0A782C3E67DD679864D
                                      Function 00443473 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ??3@
                                      • String ID:
                                      • API String ID: 613200358-0
                                      • Opcode ID: be2380aa8a20d610938c9a348f674ad3e0c214076fbfa607157327dc7182db63
                                      • Instruction ID: 2c47959068043e69134c65afad444586b1a09f576c08bcd621988c2a5a0f38ec
                                      • Opcode Fuzzy Hash: be2380aa8a20d610938c9a348f674ad3e0c214076fbfa607157327dc7182db63
                                      • Instruction Fuzzy Hash: 3C016272E46D7167E2167E326402B8FA358AF40F2BB16010FF80477682CB2CBE5045EE
                                      Function 00401694 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetClientRect.USER32(?,?), ref: 004016A3
                                      • GetSystemMetrics.USER32(00000015), ref: 004016B1
                                      • GetSystemMetrics.USER32(00000014), ref: 004016BD
                                      • BeginPaint.USER32(?,?), ref: 004016D7
                                      • DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 004016E6
                                      • EndPaint.USER32(?,?), ref: 004016F3
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                      • String ID:
                                      • API String ID: 19018683-0
                                      • Opcode ID: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                      • Instruction ID: cf01e476fd02228c824cf2568a7310e823bc3a91870265851f050ef0b1242b16
                                      • Opcode Fuzzy Hash: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                      • Instruction Fuzzy Hash: 81012C76900218AFDF44DFE4DC849EE7B79FB45301F040569EA11AA1A4DAB0A904CB50
                                      Function 004063B2 Relevance: 8.9, APIs: 7, Instructions: 157COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040644F
                                      • memcpy.MSVCRT ref: 00406462
                                      • memcpy.MSVCRT ref: 00406475
                                        • Part of subcall function 00404888: memset.MSVCRT ref: 004048C2
                                        • Part of subcall function 00404888: memset.MSVCRT ref: 004048D6
                                        • Part of subcall function 00404888: memset.MSVCRT ref: 004048EA
                                        • Part of subcall function 00404888: memcpy.MSVCRT ref: 004048FC
                                        • Part of subcall function 00404888: memcpy.MSVCRT ref: 0040490E
                                      • memcpy.MSVCRT ref: 004064B9
                                      • memcpy.MSVCRT ref: 004064CC
                                      • memcpy.MSVCRT ref: 004064F9
                                      • memcpy.MSVCRT ref: 0040650E
                                        • Part of subcall function 00406286: memcpy.MSVCRT ref: 004062B2
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcpy$memset
                                      • String ID:
                                      • API String ID: 438689982-0
                                      • Opcode ID: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                      • Instruction ID: e4a864fa4e69ec142fe4fd7b7713e32d962165e503c4b70a0fc0dcfbb4c29d3a
                                      • Opcode Fuzzy Hash: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                      • Instruction Fuzzy Hash: 41415FB290054DBEEB51DAE9CC41EEFBB7CAB48344F004476F708F7151E634AA498BA5
                                      Function 0040F6E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                        • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                        • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                        • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                        • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                        • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                        • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                        • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                        • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000100,000000FF,00000000,00000000,?,?,?,?,00000000), ref: 0040F7AE
                                      • strlen.MSVCRT ref: 0040F7BE
                                      • _mbscpy.MSVCRT ref: 0040F7CF
                                      • LocalFree.KERNEL32(00000000,?,00000000), ref: 0040F7DC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: AddressProc$LibraryLoad_mbscpy$ByteCharFreeLocalMultiWidestrlen
                                      • String ID: Passport.Net\*
                                      • API String ID: 2329438634-3671122194
                                      • Opcode ID: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
                                      • Instruction ID: cbd5109d0b46f6ae46d16b49076c688dceaf9cc559dd015bf255ce3d8649dee3
                                      • Opcode Fuzzy Hash: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
                                      • Instruction Fuzzy Hash: 98316F76900109ABDB10EFA6DD45DAEB7B9EF89300F10007BE605F7291DB389A04CB59
                                      Function 004032B7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00403166: strchr.MSVCRT ref: 0040327B
                                      • memset.MSVCRT ref: 0040330B
                                      • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 00403325
                                      • strchr.MSVCRT ref: 0040335A
                                        • Part of subcall function 004023E5: _mbsicmp.MSVCRT ref: 0040241D
                                      • strlen.MSVCRT ref: 0040339C
                                        • Part of subcall function 004023E5: _mbscmp.MSVCRT ref: 004023F9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                                      • String ID: Personalities
                                      • API String ID: 2103853322-4287407858
                                      • Opcode ID: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                                      • Instruction ID: 7d10b282734f65fdb38f5d5bab0bdada953f1de7ece3d1168d652590bcd45cd6
                                      • Opcode Fuzzy Hash: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                                      • Instruction Fuzzy Hash: 6C21A872A041486AEB11EF699C81ADEBB7C9B51305F14007BFB04F7181DA7CDB46C66D
                                      Function 00410863 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      • UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
                                      • UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
                                      • memcpy.MSVCRT ref: 004108C3
                                      Strings
                                      • 5e7e8100-9138-11d1-945a-00c04fc308ff, xrefs: 00410875
                                      • 00000000-0000-0000-0000-000000000000, xrefs: 00410882
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: FromStringUuid$memcpy
                                      • String ID: 00000000-0000-0000-0000-000000000000$5e7e8100-9138-11d1-945a-00c04fc308ff
                                      • API String ID: 2859077140-3316789007
                                      • Opcode ID: 1bd0dfdd33b944ccaa92fc0adafc19938dd855d0ba2d869dfbea71798e3d1944
                                      • Instruction ID: 2d05171d55a2aa7530ad5e51965ca7b7e6a6868cf32f938cfe5ee3e9f977ce1c
                                      • Opcode Fuzzy Hash: 1bd0dfdd33b944ccaa92fc0adafc19938dd855d0ba2d869dfbea71798e3d1944
                                      • Instruction Fuzzy Hash: BD016D7690412DBADF01AE95CD40EEB7BACEF49354F044123FD15E6150E6B8EA84CBE4
                                      Function 00444551 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00444573
                                        • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                        • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: CloseOpenQueryValuememset
                                      • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                                      • API String ID: 1830152886-1703613266
                                      • Opcode ID: baf3755ad005164e852b951840563bf60568ed10c800e15668adf960084471f0
                                      • Instruction ID: e49b40feb516e52fd010a51085a75c79e183d02607987ed0dc43077d9115a6c0
                                      • Opcode Fuzzy Hash: baf3755ad005164e852b951840563bf60568ed10c800e15668adf960084471f0
                                      • Instruction Fuzzy Hash: E80196B6A00118BBEF11AA569D01F9A777CDF90355F1000A6FF08F2212E6749F599698
                                      Function 0043D62C Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 224COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memset
                                      • String ID: H
                                      • API String ID: 2221118986-2852464175
                                      • Opcode ID: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                      • Instruction ID: 41a1901620add3bbd0c629c105807ca0f7ae5b253a5bd6696a221ab72d79fc9a
                                      • Opcode Fuzzy Hash: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                      • Instruction Fuzzy Hash: C0916C75D00219DFDF24DFA5D881AEEB7B5FF48300F10849AE959AB201E734AA45CF98
                                      Function 0042563B Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 176COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcpy
                                      • String ID: out of memory$statement aborts at %d: [%s] %s$string or blob too big
                                      • API String ID: 3510742995-3170954634
                                      • Opcode ID: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                      • Instruction ID: e987c9c84479fff69dc62f11a90029b17cbd8b5ab9a96ddea988199e68ce63eb
                                      • Opcode Fuzzy Hash: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                      • Instruction Fuzzy Hash: 2361C235B006259FCB04DF68E484BAEFBF1BF44314F55809AE904AB352D738E980CB98
                                      Function 00414625 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 132COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcpy$memset
                                      • String ID: winWrite1$winWrite2
                                      • API String ID: 438689982-3457389245
                                      • Opcode ID: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                      • Instruction ID: c2532708ffcca3880dfc28061b61c902a2330187b6102c2a8a28e688d44e82e0
                                      • Opcode Fuzzy Hash: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                      • Instruction Fuzzy Hash: 86418072A00209EBDF00DF95CC85BDE7775FF85315F14411AE924A7280D778EAA4CB99
                                      Function 004144FD Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 109COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcpymemset
                                      • String ID: winRead
                                      • API String ID: 1297977491-2759563040
                                      • Opcode ID: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                      • Instruction ID: 3ec02e552038d814b148e8dc6d2e6fcfdb14063e9eab1ef980803e4d567ed084
                                      • Opcode Fuzzy Hash: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                      • Instruction Fuzzy Hash: DC31C372A00218ABDF10DF69CC46ADF776AEF84314F184026FE14DB241D334EE948BA9
                                      Function 00449550 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 85COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcpymemset
                                      • String ID: gj
                                      • API String ID: 1297977491-4203073231
                                      • Opcode ID: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                      • Instruction ID: 902d5c3a1247e7abcff0c4a84da7d54d3a467651d8a5431b25503c8ae0e770b6
                                      • Opcode Fuzzy Hash: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                      • Instruction Fuzzy Hash: AF216A733443402BF7259A3ACC41B5B775DDFCA318F16041EF68A8B342E67AEA058715
                                      Function 004090B0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetParent.USER32(?), ref: 004090C2
                                      • GetWindowRect.USER32(?,?), ref: 004090CF
                                      • GetClientRect.USER32(00000000,?), ref: 004090DA
                                      • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004090EA
                                      • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00409106
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Window$Rect$ClientParentPoints
                                      • String ID:
                                      • API String ID: 4247780290-0
                                      • Opcode ID: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                      • Instruction ID: bdfce0b549e0f997c013470e25be1f804495b962c90005f3873202e4793523b9
                                      • Opcode Fuzzy Hash: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                      • Instruction Fuzzy Hash: 6A012D36801129BBDB119FA59C89EFFBFBCFF46750F044125FD05A2141D77455018BA5
                                      Function 00410777 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00407107: memset.MSVCRT ref: 00407127
                                        • Part of subcall function 00407107: GetClassNameA.USER32(?,00000000,000000FF), ref: 0040713A
                                        • Part of subcall function 00407107: _strcmpi.MSVCRT ref: 0040714C
                                      • SetBkMode.GDI32(?,00000001), ref: 0041079E
                                      • GetSysColor.USER32(00000005), ref: 004107A6
                                      • SetBkColor.GDI32(?,00000000), ref: 004107B0
                                      • SetTextColor.GDI32(?,00C00000), ref: 004107BE
                                      • GetSysColorBrush.USER32(00000005), ref: 004107C6
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Color$BrushClassModeNameText_strcmpimemset
                                      • String ID:
                                      • API String ID: 2775283111-0
                                      • Opcode ID: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                      • Instruction ID: 687cb18978465a3feaaa07aa3b8de37e8775815fe2b8de28c5581ef0bdca0d30
                                      • Opcode Fuzzy Hash: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                      • Instruction Fuzzy Hash: AAF03135101109BBCF112FA5DC49ADE3F25EF05711F14812AFA25A85F1CBB5A990DF58
                                      Function 0041479C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 96COMMON
                                      Download Yara Rule
                                      APIs
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004147CE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                      • String ID: winSeekFile$winTruncate1$winTruncate2
                                      • API String ID: 885266447-2471937615
                                      • Opcode ID: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
                                      • Instruction ID: 76c2d8f9c45a6ab14154b13c081d04d7f34c1e3f6c53ca943db3ce1179081271
                                      • Opcode Fuzzy Hash: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
                                      • Instruction Fuzzy Hash: 5C313175600700AFE720AF65CC41EABB7E8FB88715F104A2EF965932D1D734E8808B29
                                      Function 0040E103 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _strcmpi$_mbscpy
                                      • String ID: smtp
                                      • API String ID: 2625860049-60245459
                                      • Opcode ID: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                                      • Instruction ID: 1dd5f7db1b4edf1a80ad81ce147274c535078e8a2a303909ef95c05f23963bac
                                      • Opcode Fuzzy Hash: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                                      • Instruction Fuzzy Hash: DB11C872500219ABEB10AB66CC41A8A7399EF40358F10453BE945F71C2EF39E9698B98
                                      Function 0040821D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                      • memset.MSVCRT ref: 00408258
                                        • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082A6
                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082C3
                                      Strings
                                      • Software\Google\Google Desktop\Mailboxes, xrefs: 00408230
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Close$EnumOpenmemset
                                      • String ID: Software\Google\Google Desktop\Mailboxes
                                      • API String ID: 2255314230-2212045309
                                      • Opcode ID: b9c6ba0a09f39c77023865a56f43d31249d27d4aeb116fb61def55debc704f1d
                                      • Instruction ID: e7ff4aa50d33639bacb2d5000aefce928628a80d8311d3545e17288fa3d3d8ee
                                      • Opcode Fuzzy Hash: b9c6ba0a09f39c77023865a56f43d31249d27d4aeb116fb61def55debc704f1d
                                      • Instruction Fuzzy Hash: 9D118F72408345ABD710EE51DC01EABBBACEFD0344F04093EBD9491091EB75D958C6AA
                                      Function 0040C26C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040C28C
                                      • SetFocus.USER32(?,?), ref: 0040C314
                                        • Part of subcall function 0040C256: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040C265
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: FocusMessagePostmemset
                                      • String ID: S_@$l
                                      • API String ID: 3436799508-4018740455
                                      • Opcode ID: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                                      • Instruction ID: f4172cee4733ded4edf5c13384372fb960b3a31eee454cf66b40e3553cb76095
                                      • Opcode Fuzzy Hash: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                                      • Instruction Fuzzy Hash: 1411A172900158CBDF219B14CD457DE7BB9AF81308F0800F5E94C7B296C7B45A89CFA9
                                      Function 0040929C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 004092C0
                                      • GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                      • _mbscpy.MSVCRT ref: 004092FC
                                      Strings
                                      • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 004092A9
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: PrivateProfileString_mbscpymemset
                                      • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>
                                      • API String ID: 408644273-3424043681
                                      • Opcode ID: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                                      • Instruction ID: a8dcbc571cfa5336c44be942190f1d9429afcf202dd246abef1f156f809eb6de
                                      • Opcode Fuzzy Hash: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                                      • Instruction Fuzzy Hash: 02F0E0725011A83AEB1297549C02FCA779CCB0D307F1440A2B749E20C1D5F8DEC44A9D
                                      Function 00407482 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _mbscpy
                                      • String ID: C^@$X$ini
                                      • API String ID: 714388716-917056472
                                      • Opcode ID: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                      • Instruction ID: 848b4a5d233ab05c703a0d630411b91f0640a461eb42b4d170138ac17b774cf5
                                      • Opcode Fuzzy Hash: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                      • Instruction Fuzzy Hash: F601B2B1D002489FDB50DFE9D9856CEBFF4AB08318F10802AE415F6240EB7895458F59
                                      Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                        • Part of subcall function 00406FC7: _mbscpy.MSVCRT ref: 00407011
                                      • CreateFontIndirectA.GDI32(?), ref: 0040101F
                                      • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
                                      • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
                                      • String ID: MS Sans Serif
                                      • API String ID: 3492281209-168460110
                                      • Opcode ID: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                                      • Instruction ID: 97d77737ff66efe52178e6fda6de2dc92fca71035f8b3f8e7b76904d62d162b3
                                      • Opcode Fuzzy Hash: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                                      • Instruction Fuzzy Hash: F5F02775A4130477E7317BA0EC47F4A3BACAB41B00F044535F652B50E1D2F4A404CB48
                                      Function 00407107 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ClassName_strcmpimemset
                                      • String ID: edit
                                      • API String ID: 275601554-2167791130
                                      • Opcode ID: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                                      • Instruction ID: 4378e7120b76b93f9ba7f3ad81c4d59275eb15acd3879ac3f183c71196eabbb1
                                      • Opcode Fuzzy Hash: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                                      • Instruction Fuzzy Hash: ADE09BB2C4016A6AEB21A664DC01FE5776CDF59704F0400B6B945E2081E6A4A6884A95
                                      Function 0040759E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: strlen$_mbscat
                                      • String ID: 3CD
                                      • API String ID: 3951308622-1938365332
                                      • Opcode ID: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
                                      • Instruction ID: 1107c6f19d6a4433d5fdc1d3c5cfb72f3531f1d81a70b052f8a244d3c085287a
                                      • Opcode Fuzzy Hash: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
                                      • Instruction Fuzzy Hash: 1BD0A77390C2603AE61566167C42F8E5BC1CFD433AB15081FF408D1281DA3DE881809D
                                      Function 004326AD Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 475COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memset
                                      • String ID: rows deleted
                                      • API String ID: 2221118986-571615504
                                      • Opcode ID: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                      • Instruction ID: 17dfb349c3cd8fc2c2490db290532cf881f14abfa8d6012d9aa572d9710d7201
                                      • Opcode Fuzzy Hash: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                      • Instruction Fuzzy Hash: D5028171E00218AFDF14DFA5D981AEEBBB5FF08314F14005AF914B7291D7B9AA41CBA4
                                      Function 0044338B Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ??2@$memset
                                      • String ID:
                                      • API String ID: 1860491036-0
                                      • Opcode ID: ebb40f1ae782bd27a9c9ebb170ff663f9279e29e1a89e233aa61efeea33ca50f
                                      • Instruction ID: bd2fcbe50e3d5b8ec1466eca70e60fda3411ba7e10a355e4f398212a99dd52d4
                                      • Opcode Fuzzy Hash: ebb40f1ae782bd27a9c9ebb170ff663f9279e29e1a89e233aa61efeea33ca50f
                                      • Instruction Fuzzy Hash: 973162B09107508FE751DF3A8845A16FBE4FF80B05F25486FD549CB2A2E779E5408B19
                                      Function 00404888 Relevance: 6.3, APIs: 5, Instructions: 77COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memset$memcpy
                                      • String ID:
                                      • API String ID: 368790112-0
                                      • Opcode ID: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                                      • Instruction ID: 0e4d5a8aef3e538851842ff93af65fc880b0f2046ec3e537946e92548d274f73
                                      • Opcode Fuzzy Hash: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                                      • Instruction Fuzzy Hash: BB2162B650115DABDF11EE68CD41EDE77ACDF95304F0040A6B708E3151D2749F448B64
                                      Function 0040D2A3 Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memset$memcpy
                                      • String ID:
                                      • API String ID: 368790112-0
                                      • Opcode ID: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                      • Instruction ID: 358c417c53aa398974aae77e4359fd90ac0a4dba5340dfd55ca125e4bb0c9b0b
                                      • Opcode Fuzzy Hash: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                      • Instruction Fuzzy Hash: 8E01D8B5A40B406BE235AE25CC03F2AB3A8DF91714F400A2EF692676C1D7B8F509915D
                                      Function 004257AA Relevance: 6.2, APIs: 4, Instructions: 181COMMON
                                      Download Yara Rule
                                      APIs
                                      • __allrem.LIBCMT ref: 00425850
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00425885
                                      • __allrem.LIBCMT ref: 00425933
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042597B
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                      • String ID:
                                      • API String ID: 1992179935-0
                                      • Opcode ID: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
                                      • Instruction ID: 2fc5b562d87482ee0bf7138f77baf3e4365ffd42061eb2d4d5abd72185a9e376
                                      • Opcode Fuzzy Hash: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
                                      • Instruction Fuzzy Hash: C96180B1A00A29DFCF149B64D840AAEB7B1FF45320F68815AE548AB391D7389D81CF19
                                      Function 0042C52C Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 165COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • variable number must be between ?1 and ?%d, xrefs: 0042C5C2
                                      • too many SQL variables, xrefs: 0042C6FD
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memset
                                      • String ID: too many SQL variables$variable number must be between ?1 and ?%d
                                      • API String ID: 2221118986-515162456
                                      • Opcode ID: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                      • Instruction ID: 69d39437184f158b69242413db2932325e78deb4f0df02558d14bae7a1bb2b74
                                      • Opcode Fuzzy Hash: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                      • Instruction Fuzzy Hash: 93518B31B00626EFDB29DF68D481BEEB7A4FF09304F50016BE811A7251D779AD51CB88
                                      Function 00402624 Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 004026E4
                                      • memset.MSVCRT ref: 004026AD
                                        • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                        • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                        • Part of subcall function 004108E5: memcpy.MSVCRT ref: 00410961
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 0040279C
                                      • LocalFree.KERNEL32(?), ref: 004027A6
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: ByteCharFromMultiStringUuidWide$FreeLocalQueryValuememcpymemset
                                      • String ID:
                                      • API String ID: 1593657333-0
                                      • Opcode ID: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                      • Instruction ID: aa14e43d8b473801bf9d2631992dc1640396fa6537153de3cc175e43cdbeb3f4
                                      • Opcode Fuzzy Hash: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                      • Instruction Fuzzy Hash: 0B4183B1408384BFD711DB60CD85AAB77D8AF89314F044A3FF998A31C1D679DA44CB5A
                                      Function 0040C8B8 Relevance: 6.1, APIs: 4, Instructions: 115windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 0040C922
                                      • SendMessageA.USER32(00000000,00000423,00000000,00000000), ref: 0040C966
                                      • GetMenuStringA.USER32(?,00000103,?,0000004F,00000000), ref: 0040C980
                                      • PostMessageA.USER32(?,00000402,00000000,00000000), ref: 0040CA23
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Message$MenuPostSendStringmemset
                                      • String ID:
                                      • API String ID: 3798638045-0
                                      • Opcode ID: baefdefab252ba5ebdbc5dbfb72098888a57285fb2abb1b9f47d437d3554fda2
                                      • Instruction ID: 1bc0f942f430aed347c7303033341c470b8779a554354b53929018aa447f6f2a
                                      • Opcode Fuzzy Hash: baefdefab252ba5ebdbc5dbfb72098888a57285fb2abb1b9f47d437d3554fda2
                                      • Instruction Fuzzy Hash: A241D071600215EBCB24CF24C8C5B97B7A4BF05325F1483B6E958AB2D2C3789D81CBD8
                                      Function 0040B5E5 Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00409DED: ??2@YAPAXI@Z.MSVCRT ref: 00409E0E
                                        • Part of subcall function 00409DED: ??3@YAXPAX@Z.MSVCRT ref: 00409ED5
                                      • strlen.MSVCRT ref: 0040B60B
                                      • atoi.MSVCRT ref: 0040B619
                                      • _mbsicmp.MSVCRT ref: 0040B66C
                                      • _mbsicmp.MSVCRT ref: 0040B67F
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _mbsicmp$??2@??3@atoistrlen
                                      • String ID:
                                      • API String ID: 4107816708-0
                                      • Opcode ID: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                                      • Instruction ID: e44d10e2ba05df3f3c4ea20365ac2b40f6a529c5f902ff1350b2aa0f2f7d2ce1
                                      • Opcode Fuzzy Hash: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                                      • Instruction Fuzzy Hash: 3A413D35900204EFCF10DFA9C481AA9BBF4FF48348F1144BAE815AB392D739DA41CB99
                                      Function 004113B2 Relevance: 6.1, APIs: 4, Instructions: 85stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_gmtime64memcpystrftime
                                      • String ID:
                                      • API String ID: 1886415126-0
                                      • Opcode ID: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                                      • Instruction ID: 0fc2308174198aa020173da426f8fce31fb0284c5be342abf897f659f69a0370
                                      • Opcode Fuzzy Hash: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                                      • Instruction Fuzzy Hash: 6F21E472A013145BD320EB69C846B5BB7D8AF44734F044A1FFAA8D73D1D738E9448699
                                      Function 00444462 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: strlen
                                      • String ID: >$>$>
                                      • API String ID: 39653677-3911187716
                                      • Opcode ID: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                                      • Instruction ID: 00f684ae2741cafacb4c0f359147db44c9a3c2c025b4d94400920e38b4f60055
                                      • Opcode Fuzzy Hash: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                                      • Instruction Fuzzy Hash: E131261180D6C4AEEB11CFA880463EEFFB05FA2304F5886DAD0D047743C67C964AC3AA
                                      Function 0040D205 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcpy
                                      • String ID: @
                                      • API String ID: 3510742995-2766056989
                                      • Opcode ID: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                      • Instruction ID: 6d1199ef97cb2679a5b3fe4a4c98cea7b7ae300cfbacc21e3dff9814a3884c4c
                                      • Opcode Fuzzy Hash: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                      • Instruction Fuzzy Hash: 41113DB2E007046BDB288E96DC80D5A77A8EFA0354700013FFE06662D1F639EA5DC7D8
                                      Function 0040E1C8 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _strcmpi
                                      • String ID: C@$mail.identity
                                      • API String ID: 1439213657-721921413
                                      • Opcode ID: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                                      • Instruction ID: e081b0b03caa8c584547328dd3c7b46ba64ccdb110812537a35def5e1e6d8c92
                                      • Opcode Fuzzy Hash: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                                      • Instruction Fuzzy Hash: DD110A325002199BEB20AA65DC41E8A739CEF00358F10453FF545B6182EF38F9598B98
                                      Function 00406620 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50COMMON
                                      Download Yara Rule
                                      APIs
                                      • memset.MSVCRT ref: 00406640
                                        • Part of subcall function 004063B2: memset.MSVCRT ref: 0040644F
                                        • Part of subcall function 004063B2: memcpy.MSVCRT ref: 00406462
                                        • Part of subcall function 004063B2: memcpy.MSVCRT ref: 00406475
                                      • memcmp.MSVCRT ref: 00406672
                                      • memcpy.MSVCRT ref: 00406695
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcpy$memset$memcmp
                                      • String ID: Ul@
                                      • API String ID: 270934217-715280498
                                      • Opcode ID: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                      • Instruction ID: 50cfa42ee3f36d69bd2a91aaf20a03d2fa08f341615043147a7a382cdea3e611
                                      • Opcode Fuzzy Hash: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                      • Instruction Fuzzy Hash: 46017572A0020C6BEB10DAA58C06FEF73ADAB44705F450436FE49F2181E679AA1987B5
                                      Function 0041865B Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 243COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004176F4: memcmp.MSVCRT ref: 004177B6
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418726
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418770
                                      Strings
                                      • recovered %d pages from %s, xrefs: 004188B4
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$memcmp
                                      • String ID: recovered %d pages from %s
                                      • API String ID: 985450955-1623757624
                                      • Opcode ID: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                                      • Instruction ID: 98aa3c95e39363207900286e283e4ca218167c091a2ac8f6aa08d387a6555cb7
                                      • Opcode Fuzzy Hash: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                                      • Instruction Fuzzy Hash: BA81AF759006049FDB25DBA8C880AEFB7F6EF84324F25441EE95597381DF38AD82CB58
                                      Function 004021FF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _ultoasprintf
                                      • String ID: %s %s %s
                                      • API String ID: 432394123-3850900253
                                      • Opcode ID: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                                      • Instruction ID: 5b4e28b1b4fc8494891684f3550fd3cb18a3cec27640a2844273e51cea36df92
                                      • Opcode Fuzzy Hash: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                                      • Instruction Fuzzy Hash: 80412331504A15C7C93595648B8DBEBA3A8BB46300F5804BFDCAAB32C0D3FCAD42865E
                                      Function 00409070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadMenuA.USER32(00000000), ref: 00409078
                                      • sprintf.MSVCRT ref: 0040909B
                                        • Part of subcall function 00408F1B: GetMenuItemCount.USER32(?), ref: 00408F31
                                        • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408F55
                                        • Part of subcall function 00408F1B: GetMenuItemInfoA.USER32(?), ref: 00408F8B
                                        • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408FB8
                                        • Part of subcall function 00408F1B: strchr.MSVCRT ref: 00408FC4
                                        • Part of subcall function 00408F1B: _mbscat.MSVCRT ref: 0040901F
                                        • Part of subcall function 00408F1B: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 0040903B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
                                      • String ID: menu_%d
                                      • API String ID: 1129539653-2417748251
                                      • Opcode ID: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                      • Instruction ID: bbc3668ae8aad1463aedfde5e5dd5b48340f77aa4c3989790123ead7330def9b
                                      • Opcode Fuzzy Hash: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                      • Instruction Fuzzy Hash: 2ED0C260A4124036EA2023366C0AF4B1A099BC271AF14022EF000B20C3EBFC844482BE
                                      Function 004116E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • failed memory resize %u to %u bytes, xrefs: 00411706
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _msizerealloc
                                      • String ID: failed memory resize %u to %u bytes
                                      • API String ID: 2713192863-2134078882
                                      • Opcode ID: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                      • Instruction ID: 6d708a2afe7937de994116278d2c06faa365a3e4d7322368aba5da3f7b150b0b
                                      • Opcode Fuzzy Hash: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                      • Instruction Fuzzy Hash: DBD0C2329092107EEB152250AC03B5FAB51DB80374F25850FF658451A1E6795C108389
                                      Function 004097FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00406F96: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,00409805,00000000,00409723,?,00000000,00000104), ref: 00406FA1
                                      • strrchr.MSVCRT ref: 00409808
                                      • _mbscat.MSVCRT ref: 0040981D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: FileModuleName_mbscatstrrchr
                                      • String ID: _lng.ini
                                      • API String ID: 3334749609-1948609170
                                      • Opcode ID: 98f2440ea2097efbff780d18735bc8e6eaa27cf1360ec9cb317463341ca83b29
                                      • Instruction ID: 627d3aba04136714d7c1818045af5338c576ea1e6c84acb30438f8bc90b354f8
                                      • Opcode Fuzzy Hash: 98f2440ea2097efbff780d18735bc8e6eaa27cf1360ec9cb317463341ca83b29
                                      • Instruction Fuzzy Hash: 73C080019497D018F12235212D03F4F06884F83709F34005FF801796C3EF9CA611407F
                                      Function 004070E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON
                                      Download Yara Rule
                                      APIs
                                      • _mbscpy.MSVCRT ref: 004070EB
                                        • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                        • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                      • _mbscat.MSVCRT ref: 004070FA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: _mbscat$_mbscpystrlen
                                      • String ID: sqlite3.dll
                                      • API String ID: 1983510840-1155512374
                                      • Opcode ID: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                                      • Instruction ID: ab8058c300e11a65186fba7fca0927c942ef8f40a12134081a956aaad4b84faf
                                      • Opcode Fuzzy Hash: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                                      • Instruction Fuzzy Hash: 42C0803340517035770276717D03A9F794DCF81355B01045AF54451112F529891241EB
                                      Function 004033B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetPrivateProfileStringA.KERNEL32(Server Details,?,0044C52F,A4@,0000007F,?), ref: 004033C8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: PrivateProfileString
                                      • String ID: A4@$Server Details
                                      • API String ID: 1096422788-4071850762
                                      • Opcode ID: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                      • Instruction ID: 3fa8da6ebb007cc1aa22036e73777017e29eb1af1cc7e931feee2a89adc62c4b
                                      • Opcode Fuzzy Hash: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                      • Instruction Fuzzy Hash: C8C08C32189301BAEA418F80AD46F0EBBA2EBA8B00F044409B244200A682B94020EF17
                                      Function 0042C821 Relevance: 5.2, APIs: 4, Instructions: 185COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcpy$memset
                                      • String ID:
                                      • API String ID: 438689982-0
                                      • Opcode ID: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                                      • Instruction ID: 02088d5bd302ba8124152156f4c24fba1fa2279ed4138068a4a2dd0dfc44ef6b
                                      • Opcode Fuzzy Hash: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                                      • Instruction Fuzzy Hash: BC61BDB2604712AFD710DF65E8C1B2BB7E5FF84304F40892EF99896250D338E955CB9A
                                      Function 0040848B Relevance: 5.1, APIs: 4, Instructions: 104stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: FreeLocalmemcpymemsetstrlen
                                      • String ID:
                                      • API String ID: 3110682361-0
                                      • Opcode ID: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                                      • Instruction ID: 01a4a4a03dd67d82f411e1dd6e1cb40c430aa3add0a741e9cb7308dd065d79ab
                                      • Opcode Fuzzy Hash: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                                      • Instruction Fuzzy Hash: A331E572D0011DABDB10DB68CD81BDEBBB8EF55314F1005BAE944B7281DA38AE858B94
                                      Function 004161CB Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.1274049543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_400000_wcNDx6MT9O.jbxd
                                      Similarity
                                      • API ID: memcpy
                                      • String ID:
                                      • API String ID: 3510742995-0
                                      • Opcode ID: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                      • Instruction ID: 2ace43f3ece935e7cd0bce4b95d7f51bbc88ae08637005f1eff78ef908a12d17
                                      • Opcode Fuzzy Hash: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                      • Instruction Fuzzy Hash: 4B1189B3E002186BEB00EFA5DC49EDEB7ACEB59311F454536FA05DB141E634E648C7A8